I've been working on support for OpenID 2.0 in Ecademy. That all works now but when using Yahoo! as a provider they put up a scary warning saying that Ecademy is not validated with Yahoo! To get rid of the warning you have to have a valid YADIS file on the Openid Consumer side containing a returnto service that matches the one sent to Yahoo. but I and others couldn't get this exactly right. After contacting Yahoo by email I got a message back from Yu Wang with the final piece in the puzzle.

Here's what's needed. I'll describe it for Ecademy.

http://www.ecademy.com needs to return an http header
X-XRDS-Location:http://www.ecademy.com/yadis.xrdf

http://www.ecademy.com/yadis.xrdf
needs to return a header
Content-Type: application/xrds+xml

http://www.ecademy.com/yadis.xrdf
needs to look like this

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://www.ecademy.com:80/account.php</URI>
</Service>
</XRD>
</xrds:XRDS>

Notes.
1) Yahoo are not reading

in the section of http://www.ecademy.com They're only doing YADIS discovery via the http header. I fixed this in my index.php by putting
header('X-XRDS-Location:http://www.ecademy.com/yadis.xrdf');
at the top. I think this is a bit mean!

2) Even when Yahoo successfully GET the yadis file they don't do anything with it unless apache returns the right header. I added this line to my /etc/mime.types file and did an apache reload
application/xrds+xml xrdf
Yu Wang said they would be relaxing this requirement in a future release.

3) The URI for the entry in the yadis file should exclude all parameters. On the Yahoo approval screen, it shows the returnto so strip all parameters from that and put it in the yadis file. In my case, I've
copied the JanRain example consumer which includes the port number. The actual returnto is
http://www.ecademy.com:80/account.php?op=login_openid&remember=on&janrain_nonce=...
so the entry in yadis.xrdf is
http://www.ecademy.com:80/account.php

I've got three different op= for different scenarios. signup_openid, login_openid, add_openid luckily the same yadis entry works for all three.

Hope this helps someone.


[ << 2nd Virus email - Subject: ECADEMY will close work in April 2008 ] [ Logging into Ecademy with your Yahoo ID >> ]
[ 13-Mar-08 8:00am ] [ ]