Hi,

I'm trying to implement a way for users to login to my site with yahoo openid.

I have figured out https://open.login.yahooapis.com/openid/op/auth as endpoint. Now I redirect the user on my page to this page
and attach the following attributes:

?openid.mode=checkid_setup
&openid.ns=http://specs.openid.net/auth/2.0
&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select
&openid.identity=http://specs.openid.net/auth/2.0/identifier_select
&openid.realm=http://mydomain
&openid.return_to=http://mydomain/somepage.php

This works so far as it really redirects the user to the yahoo login page and if he chooses to login to the page mydomain with his yahoo account,
yahoo redirects to the page I provided as the parameter openid.return_to.

Now comes the tricky part, however. In the next step I would like to verify the signature I got from yahoo with a call using openid.mode=check_authentication.

openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.mode=id_res
&openid.return_to={MYRETURNURL}
&openid.claimed_id={CLAIMEDID}
&openid.identity={IDENTITY}
&openid.assoc_handle={ASSOC_HANDLE_GENERATED_BY_YAHOO}
&openid.response_nonce=2010-02-13T16%3A27%3A51Z3xi0xeM7pJ01y5DfW_DbhpYoWS.i8fhCTg--
&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Cpape.auth_level.nist
&openid.op_endpoint=https%3A%2F%2Fopen.login.yahooapis.com%2Fopenid%2Fop%2Fauth
&openid.pape.auth_level.nist=0
&openid.sig=qXIS5FIqnwLK%2FlPCKVs1JBNFBlY%3D

My problem is now that by specification ( http://openid.net/specs/openid-authenticat...e_checkid_setup or http://openid.net/specs/openid-authenticat...html#check_auth ) I have to return all the attributes for verification but the mode changes of course. It seems however, when looking at the attributes above I get back from yahoo, that the mode field is actually included in the openid.signed fields.

Can anybody help me what I may be doing wrong?

Thanks a lot