Yahoo! OpenID: Now more powerful and easier to use

We're happy to announce support for the OpenID OAuth Hybrid Protocol, which combines OpenID authentication (sign in) with OAuth authorization (access control) in a single interface. The Hybrid Protocol makes it easy for the hundreds of millions of Yahoo! users to sign into websites with a Yahoo! account, and to enable two-way data sharing of their Profile, Contacts, and Updates, without having to register a new site-specific account or share their Yahoo! password.

Plaxo is one of the earliest adopters of OpenID, allowing their users to sign into Plaxo using a Yahoo! account with just a couple mouse clicks. Instead of requiring first-time Plaxo users to manually verify their Yahoo! email address by sending a verification email, Plaxo uses OpenID Attribute Exchange to verify Yahoo! email addresses without forcing users to wait at their mailbox for the verification email to arrive. Building on their successful experience with Yahoo! OpenID, Plaxo is experimenting with the Hybrid Protocol: A portion of new users who sign up for Plaxo with their Yahoo! account, are now enabled to sign in to Plaxo with their Yahoo! account and to authorize two-way data sharing of their Yahoo! Contacts and Updates via the Hybrid Protocol. You can read more about how this works on the Plaxo blog.

"OpenID+OAuth hybrid onboarding is the state-of-the-art for connecting users and sites across the emerging Social Web," says Joseph Smarr, CTO of Plaxo and Board Member of the OpenID Foundation. "Yahoo's massive userbase and expertise in consumer-friendly design is now being coupled with their expansive set of APIs from Y!OS, so this launch is a major milestone in making the Social Web more open and interoperable."

Another trailblazer in the OpenID space is JanRain, whose RPX service powers the login and registration flows for their customers, including Qype and MySears. Using the OpenID protocol, users can sign into RPX-enabled websites with an account that they already have. Yahoo! has been working closely with JanRain to optimize the sign in experience for users signing in via Yahoo! OpenID. Now that RPX supports the Hybrid Protocol, sites integrating with RPX can now let users sign in with their Yahoo! account and share their Yahoo! Profile. In addition, these sites can also receive massive referral traffic from the Yahoo! Network by syndicating user activities to Yahoo! Mail and Yahoo! Messenger using the Yahoo! Updates service. "We value our ongoing partnership with Yahoo! to further innovate and deliver comprehensive solutions for website operators and end users to enhance their online experience," stated Tore Steen, VP of marketing at JanRain.

By supporting the Hybrid Protocol, Yahoo! OpenID becomes more powerful. We've also taken steps to make OpenID easier and less confusing to use. The traditional OpenID "redirect" user experience has been criticized for taking a user away from the site during the login process. We've worked very closely with the OpenID community to make OpenID more user friendly, and we're happy to announce support for the Popup UI as defined in the OpenID User Interface Extension. Sites that want to preserve the context and keep the user on their site can open a small (500x500) popup window to complete the OpenID authentication flow. In order to help prevent phishing, the User Interface extension requires that the popup be displayed in an independent browser window with the address bar clearly displayed.

Yahoo! users can help protect themselves against phishing by setting up a personalized Sign-in Seal on the Yahoo! Login screen, and by always looking for their Sign-in Seal before entering their password. By using the Popup UI, sites can keep their users on their site, preserving the context while signing in, while providing protection the user from phishing.


OpenID gives users control over their data and makes it possible for sites to build a single interface that can reach virtually all potential users. Because OpenID is an interoperable open standard, sites that accept Yahoo! OpenID can reuse the same interface and code to accept identities from other OpenID Providers, including Google, AOL, and MySpace. This makes it possible for virtually anyone to sign in to an site using an account that they already have.

It's been an exciting month for Yahoo! OpenID, with recent news about our involvement in the Open Government Initiative, and now with support for Hybrid and the Popup UI. Stay tuned for more exciting news as we continue to improve our OpenID and Open Stack offerings.

P.S. If you'd like to meet the folks working on OpenID, OAuth, and the Open Stack, please join us at the Internet Identity Workshop in Mountain View, CA this November.

Allen Tom (@Allen Tom)
Architect, Yahoo! Membership