Yahoo OpenID FAQ

My website currently implements OpenID 1.1. What changes do I need to make so that my website works with Yahoo's OpenID 2.0 implementation?

OpenID 2.0 has several new security and usability improvements over previous versions.

Changes in OpenID 2.0 Discovery

OpenID 2.0 endpoints are published using the Yadis protocol. OpenID 2.0 Providers advertise the location of their endpoints, as well as the versions and extensions that they support using Yadis. New in OpenID 2.0 is Relying Party discovery, in which OpenID Providers are able to verify the location of a Relying Party's OpenID endpoints using Yadis.

The Yahoo OpenID Provider verifies a Relying Party's realm and endpoints by making a Yadis request to the openid.realm to discover the realm's OpenID endpoints. If Yahoo is unable to verify the realm and endpoints, the user will be warned that the user is signing into an unverified site. Yahoo caches the Yadis document to improve performance for users who sign into popular sites.

Identifier Recycling

OpenID identifiers can be recycled over time, and OpenID 2.0 specifies that OpenID Providers append URL fragments to the end of an OpenID URL as a generation identifier. The entire OpenID URL with the fragment, if present, should be used to identify the user. For instance, the following two OpenIDs are unique and represent different users:

  • http://openid.example.com/username#aa
  • http://openid.example.com/username#bb

Yahoo Security Policies

Yahoo will only support Relying Parties running on webservers with real hostnames (IP addresses are not supported) running on standard ports (Port 80 for HTTP and Port 443 for HTTPS).

Identifier Select

New in OpenID 2.0 is the concept of Identifier Select, in which a user can just specify their OpenID Provider, rather than having to type in their entire OpenID URL. Users can just type in yahoo.com or flickr.com to initiate the Sign-in process. In order to optimize this experience, we provide special buttons that Yahoo users can click on to sign in. Clicking on the Yahoo Sign-in button auto-fills and submits yahoo.com on the OpenID sign-in form.

  • Yahoo Sign In Buttons:

Why does Yahoo return PAPE nist_auth_level 0? What should I do with this?

OpenID Relying Parties should note that, while the use of the Yahoo ID and password as authentication credentials is sufficient for many use cases, it is not good for all use cases. For example: using just the Yahoo ID and password to allow financial transactions (e.g., a purchase with a credit card stored by the Relying Party) is not recommended. In such cases, Yahoo recommends that an additional factor of authentication should be used by the Relying Party before allowing the transaction to be completed.

In order to enable Relying Parties to automatically detect and decide whether a Yahoo OpenID assertion is appropriate for their use cases, we use the PAPE extension to communicate the quality of our assertion. Yahoo OpenID assertions are marked as NIST Auth Level 0 to indicate that Yahoo OpenIDs should not be used to authorize any transaction of value, including, but not limited to, financial transactions, or accessing sensitive information, such as social security numbers and credit card numbers.

My users don't understand the OpenID technology and I don't think they should understand it. How can I make the OpenID sign in process easier for my users?

Relying Parties can download the Yahoo button images to help users start with the OpenID. Yahoo will guide users who click on the button through the OpenID setup process. Download the various Yahoo OpenID buttons.

Why does Yahoo display the following warning about my website? "Warning: This website has not confirmed its identity with Yahoo and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate."

Yahoo displays the above warning for Relying Parties which fail to implement Section 13: Discovering OpenID Relying Parties of the OpenID 2.0 Protocol. Implementing Relying Party Discovery enables Yahoo to verify your site's OpenID Realm when servicing Authentication Requests from your site.

Your site must publish a discoverable XRDS document listing all the valid return_to URLs for your Realm. An excellent writeup describing how to do this can can be found here: Why Yahoo says your OpenID site's identity is not confirmed.

Please note: We recommend that your site links to its XRDS document using the X-XRDS-Location HTTP header. If your site links to its XRDS document by embedding a meta tag within the HEAD section of your realm document, errors can occur if the realm document is larger than 64KB or if the document redirects to another URL.

Does the Yahoo OpenID Provider support multiple languages?

Yes! Yahoo has a global audience, and Relying Parties can specify the language to be used on Yahoo's OpenID screens by using the experimental xopenid_lang_pref parameter in the OpenID authentication request.

  • Spanish: xopenid_lang_pref=es
  • German: xopenid_lang_pref=de
  • French: xopenid_lang_pref=fr
  • Chinese: xopenid_lang_pref=tw
  • Italian: xopenid_lang_pref=it
  • Korean: xopenid_lang_pref=kr

Yahoo is working with the OpenID Commnity to write an extension for RPs to specify the user's language preference in a standarized format.