ImperialViolet

Yahoo now has OpenID for ... (18 Mar 2008)

Yahoo now has OpenID for all its accounts, which is great. Wonderful in fact. OpenID is a good thing for many authentication needs on the Internet and will make the world a better place.

However,...

  • SHA256 isn't supported, only SHA1. It's true that the standard doesn't require it, but this still gets you lots of crapness points.
  • The return_to is filtered. Probably someone here had good intentions, but I can redirect a browser to any URL, so filtering the return_to is pointless and overly restrictive. Specifically, it appears that:
    • You can't have a port number in the host
    • You can't have an IP address for a host
    • You can't have a single element hostname (like localhost)
    • So, more crapness points for Yahoo.