[OpenID] Yahoo doesn't return openid.mode=cancel responses?

[Allen Tom]

Hi Deron,

The short answer is that Yahoo sends the browser to www.yahoo.com if the 
user clicks the Cancel link.

If you believe that this behavior is disruptive, we absolutely agree 
with you, and we'd like to see if we can improve the user experience to 
increase the successful sign in rate, and to keep the user at the RP in 
case the user doesn't want to sign in.

The reason why Yahoo does not send the browser to the return_to url is 
because there is no way to verify that the claimed RP is actually the 
entity that generated the OpenID authentication request. The OpenID 2.0 
authentication request is not signed, and anyone can generate an 
authentication request for any realm/return_to. Because Yahoo has no way 
to verify that the RP generated the request, AND because the user 
indicated that they don't want to sign into the RP, we believe that the 
safest thing to do is to not send the browser to the return_to.

Moving forward, perhaps the best compromise would be to have the OpenID 
flow go through a small popup which can automatically close after the 
user finishes the sign in flow, similar to the Facebook Connect user 
experience.

Thanks
Allen


Deron Meranda wrote:
> I'm seeing something unexpected with using Yahoo! as an OP.
>
> If, once I get on Yahoo!'s OpenID authorization page I click
> "cancel" rather than "continue"; it redirects my browser to the
> Yahoo! public home page at http://www.yahoo.com/ -- rather
> than going back to the RP's return_to URL with an openid.mode
> of "cancel".
>
> Other OP's I'm testing with seem to work as expected; they
> return a cancel message back to my RP.
>
> Am I potentially doing something wrong, or is Yahoo! not
> following the OpenID spec here?
>