Launching the Un-Launch-Able

Opening up Yahoo! I’ve been looking forward to this day and writing this exact post for quite some time now! So this is it! Wow, this feels great! We just pushed Browser Based Authentication (BBAuth) out the door.

Let’s start this post with what BBAuth is and what it can be used for. It was designed to allow third-party applications to interact with user-specific data with the users’ consent. On top of doing the obvious, it supports Single Sign-On out of the box.

That means you can build applications that instead of creating your own sign-up flow, which requires users to pick yet another username and password, you can let them sign in with their existing Yahoo! account. The best thing about it is that it’s safe, the YahooId does not get shared with the applications. Your application needs to redirect the user to the Yahoo! BBAuth login and after the user successfully logs in, your app will receive an encrypted and unique userid for each user that logs in. This sample application makes use of SSO.

Good or bad? That is up-to-you do decide. My opinion is that this can make navigating the web so much easier for users, and I am one of them! I don’t want to have to remember ‘x’ usernames and ‘y ‘passwords and keep adding to the list everyday. There are also other ways of dealing with that problem, but here is a solution that is really straightforward. Feel free to leave a comment and let me know what you think! I want to add that this is not driven by a huge initiative to get everyone on Yahoo!, but an attempt to put out another tool that developers can decide to adopt if they like it.

But that’s not all! Yahoo! Photos opened up an API that takes advantage of BBAuth as well. I wrote a sample application that is using it, which allows user to view and update titles and descriptions for photos stored on Yahoo!. The ajaxy parts are using the YUI libraries. On top of all that, we are doing a private beta for developers who attend our public Hackday! The new Yahoo! Mail is opening up their backend!! Appid sign-up will be limited for now but stay tuned for future updates.

For me, this has been quite a ride from the first time we talked about making BBAuth happen until today, the day we finally launched. In a big company like Yahoo!, you need to get input / approval from quite some folks if you want to do something out of the box and open up the company. All that makes sense and is justifiable but sometimes I wish it would have been faster. On the other side, I learned a lot about the company I work for, how big companies work in general, egos, friends and allies and most importantly how you get stuff done that is obviously not on everyone’s “need this today” list.

Like most platform projects that have to support a lot of different use-cases, the list of people that have made this happen is very long and I don’t even want to try to list them all. Instead I want to send a big “general” thank you out to all the thinkers and do-ers, the try-to-stop-it-ers and the must-have-today-ers! Thanks to all of you for making it what it is today!

Further reading: On the Developer Network page we have the official announcement. Jeremy posted something on his blog as well. Without his help to clear last minute “congestions” I am not sure if would have gone out today :)

42 Responses to “Launching the Un-Launch-Able”

  1. Yahoo’s Browser Based Authentication (BBAuth) Launched…

    Last night I mentioned that we’d have a few more announcements on the Yahoo! Developer Network today. I just posted the latest: Browser Based Authentication or BBAuth as we like to call it. Our Browser Based Authentication (BBAuth) is a generic mechan…

  2. Ryan Tate says:

    I’ve been combing the docs and I’m really frustrated. I think it’s really cool that I can get a user of my app signed into Yahoo. Great. But then what? How do I store a preference for my app in the Yahoo Account? How do I get Yahoo data out of the account? This must be in the docs but I’ve looked all over and can’t find it. Argh.

    Thanks for doing this. I’m probably just lost in the docs.

  3. [...] That’s it for now – I’ll let Jeremy and Dan from Yahoo enlighten you further, but I plan to update this post in due time… [...]

  4. Nikhil says:

    Return of the Yahoo
    I have been wanting to talk about Yahoo and their aggressive pursuit of Google in the Internet space for awhile. The biggest manifestation of this has been their courting of developers to leverage their ecosystem. But this is big – this IMHO puts them abreast if not ahead of Google right now.

  5. [...] This is a big deal. Congrats to the YDN team. [...]

  6. [...] BBAuth fixes that problem when it comes to accessing data locked up at Yahoo. Using the tools Yahoo provides, non-Yahoo applications can request a user to sign in to Yahoo and give permission for Yahoo user data to be sent to the non-Yahoo application. Yahoo’er Dan Theurer explains how it works in more detail, and points to two test applications he created. The first shows how it can be used to allow sign in via Yahoo credentials, and the second shows how you can access Yahoo photos data outside of Yahoo. [...]

  7. [...] Yahoo’s release of open access to its BBAuth authentication service (see also here and here) is a big step forward. It’s just the thing for many simple applications. It’s not as good as a user-controlled cross-provider identity scheme, but the emergence of a few real high-volume competing web services will help drive us there. [...]

  8. [...] BBAuthなら、そうした問題に悩まされることなくYahooにロックされた情報にアクセスが可能だ。Yahooが提供するツールを使えば、Yahoo以外のアプリケーションからでもYahooのユーザー・サインインの要求を出すことができ、 Yahooユーザーの情報をYahoo以外のアプリケーションに送信してもらえるのだ。これがどういう仕組みで動くかについては、YahooのDan Theurerが自作のテスト用アプリ2点を披露しながら詳しく説明している。最初のショーではYahooが発行する証明書でユーザー・サインインを許可する方法を、2番目はYahooフォト情報にYahoo外からアクセスする方法を紹介している。 [...]

  9. mike says:

    How is this different from Microsoft Passport in general and as far as features go?

  10. Dan says:

    Hey Ryan,

    “I can get a user of my app signed into Yahoo. Great. But then what?”
    The user get redirected to the URL that you specified as the ‘web app url’ when you signed up for the appid. You can use the code from this app to validate the signature, when the login server calls your web app after the user signed in successfully.
    http://www.theurer.cc/blog/2006/09/29/bbauth-coding-single-sign-on/

    “How do I get Yahoo data out of the account?”
    Once you have the token you need one more round-trip to get a cookie. This is described in here.
    http://developer.yahoo.com/auth/authcalls.html

    The last piece of the puzzle is to make a call to e.g. Photos and add the cookie (header) and the wssid to the call.
    http://developer.yahoo.com/photos

    Jason Levitt wrote a PHP quick start and put it on in the docs which is really helpful as well.
    http://developer.yahoo.com/auth/

  11. Dan says:

    Hi Mike,

    BBAuth is fundamentally different from MS Passport in that it can be used with other sign-on solutions, it is not bound to a credit card or personal information and it does not lock-in developers or users.

    Besides that…
    - It’s Free
    - Anonymous – The application does not get information besides the userhash from the user.
    - It makes it much easier for developers to write applications (they don’t need to build the sign-up flow)

  12. Ryan Tate says:

    Dan, thanks for your answer and time.

    I must not be expressing myself clearly.

    Whenever I’ve added user authentication to an app, it has always been for a reason. I need to associate certain permissions with that user (maybe associate certain role IDs with them), or maybe remember their email address and real name, or maybe remember which buttons they like toggled by default on a certain search form.

    Using your new auth system, how do I add/get/update this sort of data?

    Can I at least get some sort of UID for the user that I can use on my own server to store information about the user? Some handle that will be consistent from session to session?

    Maybe an example is better:

    Let’s say someone is on my site. They want to log in, so I send them off to Yahoo, they come back and I’ve done all the talking to Yahoo’s servers to verify that yes, they are logged in. I’ve followed all the steps.

    Now I want to, say, greet them using their full name. How do I do that? How do I ask Yahoo to tell me their name?

    Or say I run a community site for people who knit sweaters. Mary Jo is logged in via Yahoo. I want to store and remember Mary Jo’s favorite fabric color. How do I do that?

  13. Ryan Tate says:

    PS I’m asking from an API perspective. Obviously I know how to do those examples on my own server using a scripting language and RDBMS. What I don’t understand is how to do that using Yahoo’s API. There must be documentation on that somewhere.

  14. Nic Wise says:

    Dan, one thing I see missing: how do I use it in development? I want to test code on localhost (not deploy it to a server – yet!), but I can’t get a key, ‘cos it’s not a public domain…. etc

    Thoughts?

  15. Dan says:

    To develop an application you need at least one URL that is reachable from the outside – the one the login server redirects to. Since you can verify the signature from the call you can be sure it came from the login server, so you don’t have an open entry point to your app. Does that help?

  16. Nic Wise says:

    Not really. I’d be developing it on my laptop, so I may be at home, at work, on a cafe somewhere…. I’d kinda like the browser to redirect to http://localhost/something…. which would work in those situations.

    What about a signup option “this is a development only key”. And if someone signs into that, they are warned it’s for dev only, in REALLY big red letters. or something :) Then it doesn’t validate the URL…. (OR: only allows localhost!)

  17. Nic Wise says:

    Dan: other than that, it looks REALLY cool.

  18. I share Nate’s concerns, but after looking at the docs, and re-reading Dan’s post, it seems like the “user hash” is the key to identifying returning users, and being able to associate app specific user properties in your app’s data store.

    From the docs

    send_userhash

    If this optional parameter equals ’1′, the Yahoo! login server includes an unique identifier for a particular user in your endpoint URL. With the userhash you can identify a returning user or even build an application that requires sign in without having to build the authentication part yourself. The identifier is bound to a specific appid.

    If I understand things correctly the flow goes like this:

    1 user wants to log into your app;
    2 user is redirected to yahoo
    3 user logs into yahoo.
    4 user is returned to your app with a “user hash” that links the user to the user’s yahoo account
    5 your app store the user’s favorite sweater color, keyed by, among other things perhaps, the “user hash” value
    6 the user logs out

    7 the user logs back in, repeating steps 1-4
    8 your app looks up the user’s favorite sweater color with the “user hash” returned in step 4

    Is this a correct understanding?

  19. How close is BBAuth to the Flickr Auth API? Better asked, how much recoding is involved to use BBAuth, if one has already coded apps for the Flickr Auth API?

  20. Bazily says:

    Dan, looks promising but is missing a couple things from what I can see:

    *personal data – I don’t think anyone understands what “personal data” someone can access. After checking out the photos example, the data is less personal (I was thinking a user’s zip code to use for a map mashup) and more stored (items “personal” to me stored in Yahoo’s apps like photos, videos, links, etc.)

    *fraud – I’m sure a crafty phisher has put up a yahoo login clone. People have been conditioned to question this kind of redirect-to-another-site login page, and now you’re doing it on purpose. I’m guessing that’s why the regular login started pushing the sign-in seal idea a bit ago, but until that’s forced I think this is a huge issue for Web 1.0 type users.

    *docs – I’m guessing the docs for photos and the others will update after hackday, because they’re referencing knowledge of the user id which shouldn’t be necessary, right? Once a couple more examples are put out there we’ll figure it out.

  21. [...] BBAuth résout ce problème et permet d’accéder aux données protégées par Yahoo. En utilisant les outils fournis par Yahoo, vous pourrez créer des applications faisant appel au processus d’identification de Yahoo et obtenir la permission d’utiliser les données d’utilisateurs pour votre propre application. Dan Theurer explique cela avec bien plus de détails, et nous oriente vers 2 applications qu’il a créé. La première montre comme l’identification via Yahoo peut être utilisée, et la seconde comment vous pouvez accéder à vos photos hébergées chez Yahoo sans être sur Yahoo. [...]

  22. Dan says:

    Hey Nic,

    Yeah, unfortunately this is a feature that we don’t support as of now.

  23. Dan says:

    Hi Pablo,

    That’s exactly it!

  24. Dan says:

    Hi Robert,

    The concepts are similar, but you have to some coding since getting the credentials is a little different and you have to refresh the cookie (that you use to make calls on behalf of the user) every once in a while.

    On the Developer Network Page there is some PHP Quickstart code which is really useful to get started.

  25. Dan says:

    Hi Bazily,

    You don’t need to provide the yahooid to make calls to Photos but you have the option to do it. If you don’t provide it, it will default to the user that you are acting on behalf of. If you provide it, the calls return the images that the user who signed in has permission to see.

    The data applications have access to is limited to only what the user agrees to. For Photos it’s the images in the account. Personal data like zip does NOT get shared.

  26. [...] One of the big announcements was BBAuth, or browser based authentication, that will allow developers to build third party apps that access Yahoo data. This is a single sign-on product, though unlike Microsoft Passport, it can work with other sign-on solutions. (This is something which eBay should have done, but well, never did, forgetting that eBay’s value is in its authentication system.) [...]

  27. Dan C says:

    I’m assuming the plan is to incorporate methods for getting some of the users info from Yahoo? While I see the cool factor that comes from ‘outsourcing’ your authentication from Yahoo, is this really a good thing? How are you supposed to contact your users if you don’t know anything about them? I want to make signing in as painless as possible, but if I can’t get in contact with my users what benefit do I have in using BBAuth?

  28. Dan says:

    Hey Dan,

    I take that as a feature request :)

  29. [...] Browser-based authentication, or BBAuth: This is big. As Dave says, “If it’s easy to program, and delivers on what it says it does, this is a huge deal.” Agree or disagree with Dave, you have to listen. (see the YDN blog post and Dan Theurer’s post as well. It was Dan’s focus and tenacity that got this thing out. Thanks Dan!) [...]

  30. [...] Launch announcement for Yahoo BBAuth Launch announcement for BBAuth, Yahoo’s Browser Based Authentication service. Allows users to sign into your web app using their Yahoo account. (tags: authentication yahoo webdev) [...]

  31. Lloyd D Budd says:

    It would have been excellent if out of the gate you had implemented OpenID API. I look forward to being able to really get excited about BBAuth.

  32. [...] Dan Theurer: Launching the Un-Launch-Able More on the Yahoo! BBAuth from one of the developers. [...]

  33. IT Blogwatch says:

    Yahoo! Hack! Day! results! (and bad album art)…

    Oy-yez! It’s IT Blogwatch, in which Yahoo! holds a Hack Day. Not to mention the museum of bad album covers……

  34. [...] Opening up your innovation pipeline is difficult, and in particular for large corporations. Dan Theurer, Yahoo Technical Evangelist mentions: In a big company like Yahoo!, you need to get input / approval from quite some folks if you want to do something out of the box and open up the company. All that makes sense and is justifiable but sometimes I wish it would have been faster. On the other side, I learned a lot about the company I work for, how big companies work in general, egos, friends and allies and most importantly how you get stuff done that is obviously not on everyone’s “need this today” list. [...]

  35. Raghu S says:

    Dan T,

    I’ll echo Dan C. At the very minimum you should allow me to get the user’s name/e-mail. I know email brings up spam concers: I should atleast be able to mail them through Yahoo – sort of user_hash@bbauthmail.yahoo.com gets into their Y! inbox – roughly like craigslist’s anonymous email perhaps? I hope I am making sense.

    But yes, most definitely a feature request.

    Thanks,

    Raghu

  36. Daniel says:

    Seriously ; this should have been an openID api to yahoo users. I can see how a single sign on is good; but sites further want/need to know not just that they have a unique user, but also the name, address, age, email, etc. Users don’t want to reenter that info, which is why openID allows them to go to their trusted openID host and either permit or deny a 3rd party to know various personal details about them.

  37. [...] BBAuth fixes that problem when it comes to accessing data locked up at Yahoo. Using the tools Yahoo provides, non-Yahoo applications can request a user to sign in to Yahoo and give permission for Yahoo user data to be sent to the non-Yahoo application. Yahoo’er Dan Theurer explains how it works in more detail, and points to two test applications he created. The first shows how it can be used to allow sign in via Yahoo credentials, and the second shows how you can access Yahoo photos data outside of Yahoo. [...]

  38. Actually, it’s almost identical to Passport — with some minor tweaks. It’s a redirect/cookie based auth delegation, which requires users to have an account with Yahoo! to log in to the webmaster’s site (using the SSO flow). This is a great way for Yahoo! to get webmasters to drive more user registrations for Yahoo!

    Some of the other comparisons to Passport are also inaccurate, but it’s a moot point. AFAIK, Passport is not being offered to sites as an SSO mechanism, and hasn’t been for some time. We rolled back Passport so that PUIDs are just used to integrate with other MSFT services (just as you use BBAuth userhashes to interact with other Y! services). As some of your commenters here indicate, people don’t necessarily want to use a vendor-specific ID scheme to primary key their own user data stores. A more reasonable key would be some vendor-neutral ID scheme with IDs that can be minted from any authority and still give consistent user experience. That is, I would rather wait until/if Y! emits WS-Trust certificates, and then my users can log in to my site using Y! credentials *or* MSN credentials; with no need for me to change my backend key scheme.

  39. [...] The news that seemed to get overlooked by the amazingness that became Hack Day was the release of a login API, BBAuth, or Browser-based Authentication. This new service allows any web site or web application to identify a user who has a Yahoo! ID with the user’s consent. Dan Theurer explains it on his blog: …instead of creating your own sign-up flow, which requires users to pick yet another username and password, you can let them sign in with their existing Yahoo! account. [...]

  40. [...] Im really bummed I couldn’t make it to the Yahoo coming out party for BB Auth and the new slew of Open APIs.  Though it wasn’t announced – open APIs for MyYahoo will be the creme of the pudding, the cat’s meow, the straw that broke the camel’s back on ‘the rest of them’. [...]

  41. [...] Photo hack job: If you haven’t already heard, Yahoo! Photos Web Services API has opened its doors through BBAuth. In English, that means third-party developers can create cool Yahoo! Photos applications that users can access with their regular Yahoo! ID — no need to create yet another username and password. Here’s a screencast. Craving open access to more Yahoo! products and services? Stay tuned… [...]

  42. [...] BBAuth fixes that problem when it comes to accessing data locked up at Yahoo. Using the tools Yahoo provides, non-Yahoo applications can request a user to sign in to Yahoo and give permission for Yahoo user data to be sent to the non-Yahoo application. Yahoo’er Dan Theurer explains how it works in more detail, and points to two test applications he created. The first shows how it can be used to allow sign in via Yahoo credentials, and the second shows how you can access Yahoo photos data outside of Yahoo. [...]

Leave a Reply