June 16, 2009

OAuth Update: New Streamlined User Experience, and Revision A

Over the years, many developers have asked us to make our Auth UIs (the user interface for logging in and verifying user ID and password) less jarring and disruptive. Until today, all of our authorization services, including OAuth, OpenID, and BBAuth used a "redirect" UI, which required sites to redirect the user's browser over to Yahoo! to ask for the user's approval before sharing the user's data. Many developers found this user experience (UX) disruptive: Confronting a user with a Yahoo! login screen after being redirected from the developer's site does not provide context for the user to understand why they're being prompted for their password, nor does it give the user a clear way back to the originating site.

Due to the very real risk of phishing scams, we tell our users to never enter their Yahoo! password on any web page other than the Yahoo! login screen, and we actively encourage our users to set up a personalized Sign-in Seal to help protect them from being phished. Because of the phishing threat, we strongly believe that users should only enter their password on the Yahoo! login screen, which required sites using our Auth services to use the redirect UI, rather than using a more inline and contextual flow.

We're very happy to announce that we've now updated our OAuth UI to be more contextual and streamlined. We've added more context for why the user is being prompted for their password, and we've formatted the UI to be displayable in a small popup window. For security reasons, we require that the popup window always be opened with the address bar displayed, clearly showing the URL of the Yahoo! login screen.

Check out our demo site that was built using the Y!OS SDK to see the new popup in action.

Using the new Popup OAuth UI is optional, sites currently using the old redirect UI don't have to change anything to benefit from having the more contextual Yahoo! Login screen, although the screen might look a little sparse in a full browser window. Sites wanting to optimize the approval flow should open the popup window with the address bar enabled, sized at 600 x 435 pixels. Developers must remember to close the popup and to refresh the parent window after the user successfully approves the request. Our Y!OS SDKs have already been updated to use the popup, and developers are encouraged to use the SDK. Developers should consult our OAuth documentation for more details about implementing the popup.

Currently, only the OAuth UI has been enabled to use the new popup, but soon we'll be updating our OpenID service to support the OpenID User Interface Extension which defines a standard OpenID Authentication Popup interface.

OAuth Revision A Update

As I mentioned in my last OAuth Update, Yahoo! requires that all OAuth-enabled applications use OAuth 1.0a, also known as "Revision A" of the protocol. Developers must upgrade to OAuth 1.0a. The easiest way to upgrade to OAuth 1.0a and to get the new popup: Download and install the latest version of the Y!OS SDK. Again, developers should consult our OAuth documentation for more details about OAuth 1.0a and the popup.

Keep on hacking!

Allen Tom
Architect, Yahoo! Membership

Posted at June 16, 2009 5:30 PM | Permalink

Bookmark this on Delicious

Comments

Posted by: Jason Feffer at June 16, 2009 11:42 PM

Posted by: Will Aldrich at June 17, 2009 12:46 PM

Posted by: Jamal Abdou-Karim Bengeloun at June 20, 2009 1:24 PM