BBAuth Coding – Single Sign On

I put together a BBAuth sample to test the userhash / SSO feature and you can download the source code for it. The application uses a database connection to store the userhash and the data that the user submitted. If you want to use it for more than just a sample I recommend adding error handling.

To make the sample work you need to get your own appid:

  1. Go to https://developer.yahoo.com/wsregapp/
  2. Fill in your info – The Web Application URL is where Yahoo! redirects the user after he signs in successfully. This should be PATHTOTHEFILES/success.php
  3. Pick the scope that is called something like “Yahoo Authentication, no user data access” (SSO)
  4. Follow the steps in the flow until you get your appid / secret
  5. Enter both in the bbauth.inc file where it says appid and secret.
  6. At this point the redirect to Yahoo and redirect back to the server should work, but the success.php will fail because of the missing database.
  7. Set up a database – feed sso.sql to your db
  8. Enter the database info in success.php where it says “Edit your info here:”
  9. Now it should run like a Prius in the carpool lane.


Let’s start with the index.php page. Index has only two lines of actual code, everything else is markup:
< ?php
//pulls in the bbauth functionality / appid / secret
include "bbauth.inc";

//sign the redirect url and request userhash (send_userhash=1)
$app_login_url = yahoo_sign_url ( $wslogin_server_long . "?appid=" . $appid . "&send_userhash=1", $secret );
?>

bbauth.inc contain the yahoo_sign_url and others functions that are needed to deal with that Yahoo! login servers. The three functions listed below make the authentication flow pretty clear.

yahoo_sign_url( $url, $secret )
Signs the the URL that sends the user to the Yahoo! login server with your secret. That lets Yahoo ensure that the request comes from someone who has the secret. The user logs in and get redirected to your app.

function yahoo_sig_validate( $secret)
This function validates the signature that that is attached to the URL where the login server sends the user after he or she signs in successfully. This protects your app from someone forging a request. The request will also contain a token that can be used to request a cookie.

get_cookie( $url )
Once you have the token you can request a cookie to make calls on behalf of the user - that is not part of the SSO sample. Jason put a quick start guide on YDN that talks about that in more detail.

success.php gets called when the user get redirected back to your app and the signature gets validated. After that it's some html / sql to get some content on the screen

sso.sql creates a table called 'sso' with five columns.

Let me know if you have any feedback.

Another really cool SSO sample is the one from Kent Brewster.

4 Responses to “BBAuth Coding – Single Sign On”

  1. Yahoo’s Browser Based Authentication (BBAuth) Launched…

    Last night I mentioned that we’d have a few more announcements on the Yahoo! Developer Network today. I just posted the latest: Browser Based Authentication or BBAuth as we like to call it. Our Browser Based Authentication (BBAuth) is a generic mechan…

  2. Ankit Gupta says:

    Can this service be used to authenticate my users yahoo Id. I want to store my users yahooId, so that we can show there Yahoo Avatar in our app.

    Is it valid to do so? If yes, how can I use this service to authenticate yahooId provided by user.

  3. [...] Browser Based Authentication or BBAuth: which is as they describe “a generic mechanism that will allow users to grant 3rd party web-based applications access their Yahoo! data…it possible to use Yahoo! as a single sign-on for your site, thus removing a barrier to entry for a whole lot of people (over 200 million to be exact).” Looks like a very useful service, somewhat similar to Google’s authentication service released earlier this year. More from Jeremy Zawodny and Dan Theurer [...]

  4. Cross Domain AJAX AKA OnDemand JavaScript…

    XmlHttpRequest is the traditional heart of any AJAX application. Having access to GET and POST requests to give a la carte updates to the pages is neat. But to really make use of the XmlHttpRequest a server proxy was often required in order to get …

Leave a Reply