I put together a BBAuth sample to test the userhash / SSO feature and you can download the source code for it. The application uses a database connection to store the userhash and the data that the user submitted. If you want to use it for more than just a sample I recommend adding error handling.
To make the sample work you need to get your own appid:
- Go to https://developer.yahoo.com/wsregapp/
- Fill in your info – The Web Application URL is where Yahoo! redirects the user after he signs in successfully. This should be PATHTOTHEFILES/success.php
- Pick the scope that is called something like “Yahoo Authentication, no user data access” (SSO)
- Follow the steps in the flow until you get your appid / secret
- Enter both in the bbauth.inc file where it says appid and secret.
- At this point the redirect to Yahoo and redirect back to the server should work, but the success.php will fail because of the missing database.
- Set up a database – feed sso.sql to your db
- Enter the database info in success.php where it says “Edit your info here:”
- Now it should run like a Prius in the carpool lane.
Let’s start with the index.php page. Index has only two lines of actual code, everything else is markup:
//pulls in the bbauth functionality / appid / secret
//sign the redirect url and request userhash (send_userhash=1)
$app_login_url = yahoo_sign_url ( $wslogin_server_long . "?appid=" . $appid . "&send_userhash=1", $secret );
bbauth.inc contain the yahoo_sign_url and others functions that are needed to deal with that Yahoo! login servers. The three functions listed below make the authentication flow pretty clear.
yahoo_sign_url( $url, $secret )
Signs the the URL that sends the user to the Yahoo! login server with your secret. That lets Yahoo ensure that the request comes from someone who has the secret. The user logs in and get redirected to your app.
function yahoo_sig_validate( $secret)
This function validates the signature that that is attached to the URL where the login server sends the user after he or she signs in successfully. This protects your app from someone forging a request. The request will also contain a token that can be used to request a cookie.
get_cookie( $url )
Once you have the token you can request a cookie to make calls on behalf of the user - that is not part of the SSO sample. Jason put a quick start guide on YDN that talks about that in more detail.
success.php gets called when the user get redirected back to your app and the signature gets validated. After that it's some html / sql to get some content on the screen
sso.sql creates a table called 'sso' with five columns.
Let me know if you have any feedback.
Another really cool SSO sample is the one from Kent Brewster.