I implemented an OpenIdconnect social login on top of Oauth2 for few IDPs, but I fail to get Yahoo to behave the way it should.

My problem: each time I send an authentication request, Yahoo promps end-user for consent. While this is normal at 1st login, when permission is granted it should not ask over and over the same question.

On https://developer.yahoo.com/oauth2/guide/ Yahoo prompt user in step-3 when in reality it is done in step-1. While it is logical that Yahoo prompt user at 1st call of https://api.login.yahoo.com/oauth2/request_auth it should not prompt for the same consent at each other calls.

The remaining part of Yahoo OAUTH2 works fine. I get everything I need and while Yahoo is not OpenID-connect compliant, it nevertheless provides a user's unique ID with the access_token. This allows to manage federation and save a call to profile API.

My question: Yahoo documentation does not specify any "scope" when requesting the access_token. Documentation does not give any "query" attributes that would allow a seamless login when consent is already in place. But I'm probably messing up somewhere because it should exist !!!

Question: did someone succeeded in using Yahoo OAUTH2 and avoid consent prompt at each login ?

My demo is visible at: http://oidconnect.breizhme.net/demo/openidconnect/home it is written in PHP on top of Laravel-5. I would be please to fix this Yahoo error before pushing my code on GitHub.

Short answer: if you want to use Yahoo as a source for user authentication, you'll need to talk OpenID 2.0 to it.

Long answer: I believe you're conflating SSO and Authorization. OpenID Connect is indeed an SSO protocol built on top of OAuth 2.0. OAuth 2.0 on its own is for delegation of API access.

For clients (not users) accessing its APIs (Authorization) Yahoo supports OAuth 2.0. Clients that need to access Yahoo's APIs on behalf of Yahoo's users can obtain access tokens by using the OAuth 2.0 Authorization Code grant, which implies that Yahoo's users login to consent. In addition to the access token, the client also gets a refresh token in that flow. It can use the refresh token to get a new access token when the current one expires. As you see the refresh token allows us not to bother the Yahoo user again when the client needs a new access token.

The previous paragraph shows how accessing Yahoo's APIs is done using OAuth 2.0.

Yahoo does not support OpenID Connect for Authentication (SSO) of users to 3rd-party websites, it only supports OpenID 2.0 for that purpose. So if you want to use Yahoo as an authentication/SSO provider you need to use OpenID 2.0 since Yahoo is an OpenID 2.0 provider.

What you're running in to is a situation where you're trying to use the OAuth 2.0 protocol as a user authentication protocol (or: an OAuth 2.0 provider as an authentication provider). That may have serious complications, see http://oauth.net/articles/authentication/

FWIW: Yahoo is not an OpenID Connect provider (yet).