Background
Our customer wants their ASP.NET MVC application to use Yammer as authentication, and integration with comment-fields on the webpage. In other words, when you enter the site for the first time, you click "Sign-in with Yammer", get redirected to Yammer login, allow the App access, and there you go. For this, the customer has created an external Yammer-network, so that everyone who's a part of this network, has access to the site. This should also work for external consultants, not in our customer's home network, but in our customer's external network
The App is registered in our customer's Yammer-solution (home network), and deployed.
The problem
People from our customer's home network, who also are included in the external network, has access to the site. The way we do this is to first get the user's access token (for the home network), then do a look-up in the /api/v1/networks/current.json endpoint to see if he is in the correct external network, then use the /api/v1/oauth/tokens.json endpoint to get the access token for that specific external network.
This works fine for end users from inside the customer's home network. However, for external clients, this does not work all too well. It seems that when trying to authorize towards an App registered in a different home network than you, the authorization code you get back in the OAuth-dance, is invalid. So you'll not be getting an access token, and hence can not get the access token for the external network.
I've looked into an endpoint used by the client-side OAuth flow which is https://www.yammer.com/dialog/oauth?client_id=[:client_id]&redirect_uri=[:redirect_uri]&response_type=token. When I fill in the App info (clientID, redirURI), I get redirected to the login-page, then I get redirected back to the redirURI, and then I have the access token in the URL. Since I'm doing all this authorization from code behind using the OAuth2Client, it seems I'm basically using the same endpoint, but with &response_type=code, to get the Authorization code, and then use that together with client ID and client secret to get the access token.
Is it possible for me to get the access token at all, from outside of the home network the App is registered in?
If anyone has anything to add to this it would be greatly appreciated. I've been stuck quite a while now.
If I left something essential out, please let me know so that I can edit it in. Thanks.
Yammer users are identified by their organisation email address. If I'm from microsoft.com then my home network and external networks are all tied back to this domain. Users in an external network may have one of domains, but when it comes to identity all of that is handled by the home network. In your case you have company.com and possibly a very long list of consultant1.com, consultant2.com domains. These all authenticate back against their respective home networks, and possibly use custom SAML identity providers that you shouldn't need to care about.
By default, apps are tied to their home network which means that users from other networks can't authorize it. The normal way of globalizing an app is to publish it to the public App Directory from within the customer's app settings page. It may be possible to achieve this via a tech support case with Yammer Support at Microsoft. It will probably take some time to get this completed though. It may be best for your customer to open the support case because it's their network which will have the app associated.