0

Yahoo! please fix your OpenID auth!

Ok this is getting ridiculous!! Here I am trying to test out OpenID auth with Yahoo! and everytime I make a few changes in the code I get this!!!

"This page has expired, go back to the original page and please try again"

I'm a developer and I'm trying to develop OpenID plugins for people to use so I am testing lots of sites and libraries (primarily PHP) and constantly getting this from Yahoo! is getting ...as I said ... ridiculous!

I seems to happen when I change the realm. I am working with various subdomains on a virtual hosting platform so I usually start out with the realm defaulting to the "return_to" but then after some initial testing I change the realm to use a wildcard like "*.example.com" and as soon as I do I get the dreaded error message above. Come on now Yahoo! I don't have to deal with this crap from Google. In my opinion it's a pointless "security" (if that's what it is) mechanism.

by
4 Replies
  • Hi Chey - sounds like this may have been a caching problem - the Yahoo OpenID screens have a 10 minute timeout, based on your description, it sounds like your browser may have been reloading or replaying an expired auth url.

    In the future, please post a link to a reproducable test case, and we can try to debug the issue.

    Thanks
    Allen


    QUOTE (chey.smith @ Nov 22 2009, 06:21 AM) <{POST_SNAPBACK}>
    Ok this is getting ridiculous!! Here I am trying to test out OpenID auth with Yahoo! and everytime I make a few changes in the code I get this!!!

    "This page has expired, go back to the original page and please try again"
    0
  • Something has changed. The few sites I was having trouble with now work. I'm wondering if Yahoo! imposes a limit on auth requests??? I'd hope not.
    0
  • Because YH upgrade to OpenID v2.0. You can reference this url http://blog.facilelogin.com/2008/07/let-re...id-relying.html to fix.
    0
  • The problem is not with discovery but how Yahoo! handles realms. Supposedly they support wildcard realms but when I try to use one I get that warning on their login page.

    "Warning: This website does not meet Yahoo!'s requirements for website address. Do not share any personal information with this website unless you are certain that it is legitimate."

    Take a look at the realms section in the specs:
    http://openid.net/specs/openid-authenticat...2_0.html#realms

    If return_to is http://www.example.com/login
    then a realm of http://*.example.com is a match and should not produce an error
    0

Recent Posts

in OpenID General Discussion