1

I implemented an OpenIdconnect social login on top of Oauth2 for few IDPs, but I fail to get Yahoo to behave the way it should.

My problem: each time I send an authentication request, Yahoo promps end-user for consent. While this is normal at 1st login, when permission is granted it should not ask over and over the same question.

On https://developer.yahoo.com/oauth2/guide/ Yahoo prompt user in step-3 when in reality it is done in step-1. While it is logical that Yahoo prompt user at 1st call of https://api.login.yahoo.com/oauth2/request_auth it should not prompt for the same consent at each other calls.

The remaining part of Yahoo OAUTH2 works fine. I get everything I need and while Yahoo is not OpenID-connect compliant, it nevertheless provides a user's unique ID with the access_token. This allows to manage federation and save a call to profile API.

My question: Yahoo documentation does not specify any "scope" when requesting the access_token. Documentation does not give any "query" attributes that would allow a seamless login when consent is already in place. But I'm probably messing up somewhere because it should exist !!!

Question: did someone succeeded in using Yahoo OAUTH2 and avoid consent prompt at each login ?

My demo is visible at: http://oidconnect.breizhme.net/demo/openidconnect/home it is written in PHP on top of Laravel-5. I would be please to fix this Yahoo error before pushing my code on GitHub.

Fulup
  • 545
  • 3
  • 14

1 Answers1

2

Short answer: if you want to use Yahoo as a source for user authentication, you'll need to talk OpenID 2.0 to it.

Long answer: I believe you're conflating SSO and Authorization. OpenID Connect is indeed an SSO protocol built on top of OAuth 2.0. OAuth 2.0 on its own is for delegation of API access.

For clients (not users) accessing its APIs (Authorization) Yahoo supports OAuth 2.0. Clients that need to access Yahoo's APIs on behalf of Yahoo's users can obtain access tokens by using the OAuth 2.0 Authorization Code grant, which implies that Yahoo's users login to consent. In addition to the access token, the client also gets a refresh token in that flow. It can use the refresh token to get a new access token when the current one expires. As you see the refresh token allows us not to bother the Yahoo user again when the client needs a new access token.

The previous paragraph shows how accessing Yahoo's APIs is done using OAuth 2.0.

Yahoo does not support OpenID Connect for Authentication (SSO) of users to 3rd-party websites, it only supports OpenID 2.0 for that purpose. So if you want to use Yahoo as an authentication/SSO provider you need to use OpenID 2.0 since Yahoo is an OpenID 2.0 provider.

What you're running in to is a situation where you're trying to use the OAuth 2.0 protocol as a user authentication protocol (or: an OAuth 2.0 provider as an authentication provider). That may have serious complications, see http://oauth.net/articles/authentication/

FWIW: Yahoo is not an OpenID Connect provider (yet).

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • I know that Yahoo is not 'yet' openid compliant, but documentation flow they display on developer pages should work. Even in Oauth2 you do not have to ask permission over and over again. Furthermore Yahoo returns a user unique ID with the authentication token, while I agree that using Access_token is not a valid option. Yahoo 'xoauth_yahoo_guid' is a perfect valid token for building SSO, even if its not an OpenId-connect compliant web.json.token. – Fulup Jan 06 '15 at 09:07
  • Yes, in this particular Yahoo flow (`code` only, Yahoo's `implicit` flow is not secure) `xoauth_yahoo_guid` can be used to identify the user, but Yahoo only uses its OAuth 2.0 implementation in the strict OAuth sense. In OAuth 2.0 the refresh token obsoletes the need for repeted consent. If you don't use the refresh token or it is revoked then the Provider would explicitly ask for consent again. That makes sense for API access. You're using that mechanism as an SSO mechanism but Yahoo is still on OpenID 2.0 for that. https://developer.yahoo.com/oauth2/guide/ talks about OAuth only, not SSO. – Hans Z. Jan 06 '15 at 09:45
  • Then I will wait for Yahoo to implement OpenIDconnect :) I'm not going in implement OpenID-2 that never took off and is already end of life. This being said Yahoo is the only provider to ask for content at each request the other one: Facebook, GitHub, or LinkedIn remember user consent and do not ask a second time for it. Google & Orange are OpenId-connect compliant witch is even better. – Fulup Jan 06 '15 at 12:39
  • The other providers do use OAuth 2.0 + a proprietary extension (endpoint) for login purposes unlike Yahoo who's still on stock OpenID 2.0; +1 for pushing Yahoo to OpenID Connect :-) they announced it ("Yahoo announced its intent to migrate to OpenID Connect") but have not followed up yet. And for them it would be quite easy to build it out on top of their existing OAuth 2.0 stuff. – Hans Z. Jan 06 '15 at 13:31
  • Yahoo users will be punished until Yahoo updates to OpenID-connect. I published my code on GitHub https://github.com/fulup-bzh/OidConnect It works with every other providers and with Yahoo its only a boring systematic extra consent. But outside of that it works. – Fulup Jan 06 '15 at 23:45
  • @HansZ. Yahoo do now support OpenID connect, however this behaviour has not changed. Do you have any further suggestions? https://developer.yahoo.com/oauth2/guide/openid_connect/ – chesterm8 May 22 '17 at 06:50