Yahoo! OpenID FAQ
My website currently implements OpenID 1.1. What changes do I need to make so that my website works with Yahoo!'s OpenID 2.0 implementation?
If you're new to OpenID, first take a look at Joseph Smarr's recipe for enabling OpenID 1.1 on your site.
- A Recipe for OpenID-Enabling Your Site (Plaxo.com)
OpenID 2.0 has several new security and usability improvements over previous versions.
Changes in OpenID 2.0 Discovery
OpenID 2.0 endpoints are published using the Yadis protocol. OpenID 2.0 Providers advertise the location of their endpoints, as well as the versions and extensions that they support using Yadis. New in OpenID 2.0 is Relying Party discovery, in which OpenID Providers are able to verify the location of a Relying Party's OpenID endpoints using Yadis.
The Yahoo! OpenID Provider verifies a Relying Party's realm and endpoints by making a Yadis request to the openid.realm to discover the realm's OpenID endpoints. If Yahoo! is unable to verify the realm and endpoints, the user will be warned that the user is signing into an unverified site. Yahoo! caches the Yadis document to improve performance for users who sign into popular sites.
Identifier Recycling
OpenID identifiers can be recycled over time, and OpenID 2.0 specifies that OpenID Providers append URL fragments to the end of an OpenID URL as a generation identifier. The entire OpenID URL with the fragment, if present, should be used to identify the user. For instance, the following two OpenIDs are unique and represent different users:
- http://openid.example.com/username#aa
- http://openid.example.com/username#bb
Yahoo! Security Policies
Yahoo! will only support Relying Parties running on webservers with real hostnames (IP addresses are not supported) running on standard ports (Port 80 for HTTP and Port 443 for HTTPS).
Directed Identity
New in OpenID 2.0 is the concept of Directed Identity, in which a user can just specify their OpenID Provider, rather than having to type in their entire OpenID URL. Users can just type in yahoo.com or flickr.com to initiate the Sign-in process. In order to optimize this experience, we provide special buttons that Yahoo! users can click on to sign in. Clicking on the Yahoo! Sign-in button auto-fills and submits yahoo.com on the OpenID sign-in form.
Yahoo! Sign In Buttons:
Why does Yahoo! return PAPE nist_auth_level 0? What should I do with this?
OpenID Relying Parties should note that, while the use of the Yahoo! ID and password as authentication credentials is sufficient for many use cases, it is not good for all use cases. For example: using just the Yahoo! ID and password to allow financial transactions (e.g., a purchase with a credit card stored by the Relying Party) is not recommended. In such cases, Yahoo! recommends that an additional factor of authentication should be used by the Relying Party before allowing the transaction to be completed.
In order to enable Relying Parties to automatically detect and decide whether a Yahoo! OpenID assertion is appropriate for their use cases, we use the PAPE extension to communicate the quality of our assertion. Yahoo! OpenID assertions are marked as NIST Auth Level 0 to indicate that Yahoo! OpenIDs should not be used to authorize any transaction of value, including, but not limited to, financial transactions, or accessing sensitive information, such as social security numbers and credit card numbers.
My users don't understand the OpenID technology and I don't think they should understand it. How can I make the OpenID sign in process easier for my users?
Relying Parties can download the Yahoo! button images to help users start with the OpenID. Yahoo! will guide users who click on the button through the OpenID setup process. Download the various Yahoo! OpenID buttons.
Send Your Suggestions