Skip navigation.
Home
Wilkinson Laboratory Content Management
Home » Students » Co-op & Special Projects Students » Paul Lu

OpenID, You and Yahoo!: "Why Yahoo! OpenID doesn't think you're good enough for your users"

Submitted by paul.lu81 on November 5, 2008 - 10:26pm

If you are reading this, it means Yahoo! OpenID login is giving you the following message:

"Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate."

or

"Warning: This website does not meet Yahoo!'s requirements for website address. Do not share any personal information with this website unless you are certain that it is legitimate. "

If you google this, everyone will tell you that your website has failed to meet OpenID RP discovery requirements in OpenID 2.0 specifications. Specifically Section 13 .

Note: When they say 'realm' in the OpenID 2.0 specs, they mean your Web Application's root, the index.html

What Yahoo is trying to do, and is failing to do, is discover your XRDS document. Somewhere between the initial communication between Yahoo and your website, Yahoo is doing a GET on your return_to URL or your realm looking for the XRDS document.

AND in case you didn't know... Yahoo also has extra requirements in addition to OpenID 2.0 specifications.

Two Good Articles to read for instructions on how to follow OpenID 2.0 protocol are:
Why Yahoo! says your OpenID site's identity is not confirmed

AND if you're programming with Java Servlets:
Let the rest discover your OpenID relying party

What it comes down to is this:
OpenID 2.0 Protocol requires that you have an xrds document describing what your valid return_to urls are and other information.

A simple example XRDS document

When it comes to Yahoo OpenID Provider, it tries to find this XRDS document at the return_to url [return_to url is included in the OpenID authentication request it self].

eg. If your return_to url is http://www.entitydescriber.org/openid, Yahoo will GO TO http://www.entitydescriber.org/openid FOR the XRDS document.

There are two ways in which The XRDS document is given to Yahoo.

1) Serve it directly. Set the response's ContentType to application/xrds+xml and print the contents of the document to the response.

2) When Yahoo goes to the return_to url, it will FIRST look for a header 'X-XRDS-Location' which tells it the location of the xrds document. Example location: http://www.entitydescriber.org/ed/Yadis_xrds_doc.xrdf. This will require that you add the header to the return_to url. In Java Servlets, this is done by calling the HttpServletResponse addHeader method.

If you go into your command prompt and do a curl -i on your return_to url, you should see something like:

$ curl -i http://www.entitydescriber.org/openid
HTTP/1.1 200 OK
Date: Thu, 06 Nov 2008 05:11:33 GMT
Server: Apache-Coyote/1.1
X-XRDS-Location: http://www.entitydescriber.org/ed/Yadis_xrds_doc.xrdf
ETag: W/"6816-1225920670000"
Last-Modified: Wed, 05 Nov 2008 21:31:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6816

...

Special Note:
Instead of the return_to url, some Providers may go straight to the realm (eg. http://www.entitydescriber.org) to look for this 'X-XRDS-Location' header. So make sure that the X-XRDS-Location header is present at the realm (web app root directory/index.html) as well. And you may also need to have it published in the html head as:

meta http-equiv="X-XRDS-Location" content="http://www.entitydescriber.org/ed/Yadis_xrds_doc.xrdf"

If you're using Java Servlets and Apache Tomcat, then you can insert the 'X-XRDS-Location' header into any response by using a Servlet Filter

IN ADDITION TO THIS
I got the following EXTRA REQUIREMENTS from Yahoo! OpenID FAQ

Yahoo! will only support Relying Parties running on webservers with real hostnames (IP addresses are not supported) running on standard ports (Port 80 for HTTP and Port 443 for HTTPS).

This means that if your website's web address is something like http://localhost:8080/somerealm/openid, Yahoo will give you a warning. a) Because it wants a real hostname. None of this IP address or localhost business. b) Because it is running on port 8080. What Yahoo wants is something like http://real.hostname.com/somerealm/openid

To fix this, you will need to forward requests to your web application coming on port 80 to whatever actual port it is running on. http://real.hostname.com/somerealm/openid -> http://real.hostname.com:8080/somerealm/openid

Your web application must be accessible via the internet

If your web application isn't open and available on the internet (ie. someone else on a different computer outside of your intranet can't get to your website through the internet), Yahoo! will not be able to contact your web app for information.