雅虎Oauth2/OpenIDconnect [英] Yahoo Oauth2/OpenIDconnect

问题描述

我在Oauth2上为几个IDP实施了OpenIdconnect社交登录，但是我无法让Yahoo表现出应有的方式.

I implemented an OpenIdconnect social login on top of Oauth2 for few IDPs, but I fail to get Yahoo to behave the way it should.

我的问题:每次我发送身份验证请求时，雅虎都会提示最终用户征求同意.虽然这是第一次登录时的正常现象，但在授予权限后，不应再问相同的问题.

My problem: each time I send an authentication request, Yahoo promps end-user for consent. While this is normal at 1st login, when permission is granted it should not ask over and over the same question.

在 https://developer.yahoo.com/oauth2/guide/上Yahoo提示用户实际上是在步骤1中完成的，而是在步骤3中进行操作.顺理成章的是，雅虎在第一次调用 https://api.login.yahoo.com时提示用户/oauth2/request_auth ，则不应在彼此调用时提示您征求相同的同意.

On https://developer.yahoo.com/oauth2/guide/ Yahoo prompt user in step-3 when in reality it is done in step-1. While it is logical that Yahoo prompt user at 1st call of https://api.login.yahoo.com/oauth2/request_auth it should not prompt for the same consent at each other calls.

Yahoo OAUTH2的其余部分工作正常.我得到了我需要的一切，尽管Yahoo不兼容OpenID-connect，但它仍然为用户提供了具有access_token的唯一ID.这样可以管理联盟并保存对配置文件API的调用.

The remaining part of Yahoo OAUTH2 works fine. I get everything I need and while Yahoo is not OpenID-connect compliant, it nevertheless provides a user's unique ID with the access_token. This allows to manage federation and save a call to profile API.

我的问题:Yahoo文档在请求access_token时未指定任何作用域".文档没有提供任何查询"属性，这些属性允许在已经同意的情况下无缝登录.但是我可能在某个地方搞砸了，因为它应该存在！！！

My question: Yahoo documentation does not specify any "scope" when requesting the access_token. Documentation does not give any "query" attributes that would allow a seamless login when consent is already in place. But I'm probably messing up somewhere because it should exist !!!

问题:有人成功使用Yahoo OAUTH2并在每次登录时都避免了同意提示吗?

Question: did someone succeeded in using Yahoo OAUTH2 and avoid consent prompt at each login ?

可以在以下位置看到我的演示: http://oidconnect.breizhme.net/demo/openidconnect/home ，它是用PHP在Laravel-5之上编写的.在将我的代码发布到GitHub之前，我将修复此Yahoo错误.

My demo is visible at: http://oidconnect.breizhme.net/demo/openidconnect/home it is written in PHP on top of Laravel-5. I would be please to fix this Yahoo error before pushing my code on GitHub.

推荐答案

简短的回答:如果您想使用Yahoo作为用户身份验证的来源，则需要与它讨论OpenID 2.0.

Short answer: if you want to use Yahoo as a source for user authentication, you'll need to talk OpenID 2.0 to it.

长答案:我相信您正在将SSO和授权混为一谈.实际上，OpenID Connect是建立在OAuth 2.0之上的SSO协议. OAuth 2.0本身就是用于API访问的委派.

Long answer: I believe you're conflating SSO and Authorization. OpenID Connect is indeed an SSO protocol built on top of OAuth 2.0. OAuth 2.0 on its own is for delegation of API access.

对于客户端(不是用户)访问其API(授权)，Yahoo支持OAuth 2.0.需要代表Yahoo用户访问Yahoo API的客户端可以使用OAuth 2.0授权码授予来获得访问令牌，这意味着Yahoo用户登录即表示同意.除了访问令牌之外，客户端还可以在该流中获取刷新令牌.当当前令牌过期时，它可以使用刷新令牌来获取新的访问令牌.如您所见，当客户端需要新的访问令牌时，刷新令牌使我们不再打扰Yahoo用户.

For clients (not users) accessing its APIs (Authorization) Yahoo supports OAuth 2.0. Clients that need to access Yahoo's APIs on behalf of Yahoo's users can obtain access tokens by using the OAuth 2.0 Authorization Code grant, which implies that Yahoo's users login to consent. In addition to the access token, the client also gets a refresh token in that flow. It can use the refresh token to get a new access token when the current one expires. As you see the refresh token allows us not to bother the Yahoo user again when the client needs a new access token.

上一段显示了如何使用OAuth 2.0访问Yahoo的API.

The previous paragraph shows how accessing Yahoo's APIs is done using OAuth 2.0.

Yahoo 不不支持OpenID Connect对用户的身份验证( SSO )，为此，它仅支持OpenID 2.0.因此，如果您要将Yahoo用作身份验证/SSO提供程序，则必须使用OpenID 2.0，因为Yahoo 是OpenID 2.0提供程序.

Yahoo does not support OpenID Connect for Authentication (SSO) of users to 3rd-party websites, it only supports OpenID 2.0 for that purpose. So if you want to use Yahoo as an authentication/SSO provider you need to use OpenID 2.0 since Yahoo is an OpenID 2.0 provider.

您遇到的情况是您试图将OAuth 2.0协议用作用户身份验证协议(或:将OAuth 2.0提供程序用作身份验证提供程序).这可能会带来严重的并发症，请参见 http://oauth.net/articles/authentication/

What you're running in to is a situation where you're trying to use the OAuth 2.0 protocol as a user authentication protocol (or: an OAuth 2.0 provider as an authentication provider). That may have serious complications, see http://oauth.net/articles/authentication/

FWIW:Yahoo还不是OpenID Connect提供程序.

FWIW: Yahoo is not an OpenID Connect provider (yet).

这篇关于雅虎Oauth2/OpenIDconnect的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！