I’m fairly new to OAuth and have a site that logs in to pull fantasy football leagues from Yahoo. It works for some users but for some reason some users get a 401. From the documentation, I haven’t seen anything obvious for why my auth fails sometimes but not all the times. I assume I need to give my application some extra permission but don’t know what permission some accounts have that would cause this issue.
This is the error response some users receive.
“You do not have the appropriate OAuth scope permissions to perform this action.”
Here’s my application priveledges.
Here’s my endpoint code that handles the OAuth request.
export const HandleYahooAuth2 = (code) =>
new Promise((resolve, reject) => {
const oauth2Client = new OAuth2(
YAHOO_CLIENT_ID,
YAHOO_CLIENT_SECRET,
'https://api.login.yahoo.com/',
'oauth2/auth',
'oauth2/get_token'
);
// Exchange authorization code for access token
oauth2Client.getOAuthAccessToken(
code,
{
grant_type: 'authorization_code',
redirect_uri: OAUTH_REDIRECT_URL,
scope: 'openid fspt-w'
},
async (error, accessToken, refreshToken, results) => {
if (error) {
console.error('Error getting access token:', error.data);
reject(error);
return;
}
console.log(accessToken)
try {
const resJSON = await MakeYahooRequest('users;use_login=1/games/teams', accessToken, refreshToken);
const userArr = resJSON?.root?.fantasy_content?.users;
const user = Array.isArray(userArr.user) ? userArr?.user[0] : userArr.user;
const leagues = [];
const yahooLeagues = Array.isArray(user.games.game) ? user.games?.game : [user.games?.game];
for (const league of yahooLeagues) {
if (league.code === 'nfl') {
const teams = Array.isArray(league?.teams) ? league?.teams.team : [league?.teams?.team];
const leagueId = teams[0]?.team_key.split('.t')[0];
const leagueSettings = await GetYahooLeagueSettings(leagueId, accessToken, refreshToken);
leagues.push(leagueSettings);
}
}
console.log(leagues)
resolve({leagues, accessToken, refreshToken});
} catch (error) {
console.error('Error after getting token', error.data);
reject(error);
}
}
);
});
I tried hardcoding scope, and other types of application types with OPENID permissions as well.