yahoo oath does not give email, requires openid?

Previously, I had login with Yahoo implemented on their OpenID provider support, using the lightopenid package. That method still works to some extent, returning the yahoo user's full name and email address. But the value of the 'identity' field returned is no longer a unique identifier, it is just this: 'https://open.login.yahooapis.com/openid20/user_profile/xrds'

So I switched Yahoo to using this Oauth package. Yahoo has a certain amount of confusing information about using OpenId and Oauth combined, but I just tried this package, which only does Oauth (very nicely). Based on your yahoo example code, I called:
$client->CallAPI(
'https://query.yahooapis.com/v1/yql',
'GET',
array(
'q'=>'select * from social.profile where guid=me',
'format'=>'json'
),
array('FailOnAccessError'=>true),
$user);

The returned $user object contains a single member object named 'query', with members 'count', 'created', 'lang' and 'results'. The 'results' member contains a single object named 'profile', and that 'profile' object contains the piece missing from OpenID: 'guid', which is a unique identifier for the user profile.

However, it does not contain the email address (and it contains only the 'nickname', not the full name as OpenID does). So in order to get both a unique identifier and an email address (which are needed to construct entries in my site's user table), I would need to perform both OpenID and Oauth authentication and authorization with Yahoo. Perhaps this is why they describe their extension that combines OpenID and Oauth together, but I don't know of any library package that supports such a thing, and I refuse to use their javascript buttons which do both more than I need and less than I need - all my other 3rd-party login support is done entirely server-side.

I am just wondering if you have any ideas on how to obtain the email address through Oauth (I couldn't find anything to do it in their APIs), if you might be considering implementing the "combined" OpenID/Oauth protocol, or if you have any suggestions for what else I might do server-side. Right now, I think my choices are:

1. Drop login with Yahoo support
2. Just use Oauth, and require the user to manually enter an email address (twitter never provides email, so I have code to do that).
3. Do both OpenID through lightopenid and Oauth through this package, and combine the results
4. Try to write my own code to do the combined protocol Yahoo suggests. Having spent some time with both this package and lightopenid, that seems like a whole lot of high-risk work.

BTW, I initially encountered a problem using this package for Yahoo, in that I always got a 401 return code. Turned out the problem was that I hadn't requested any specific API permissions on their Oauth app management page, and they don't use a 'scope' parameter, permissions are built into the app key. The result I got from the yql query above was based on just requesting 'Profiles'->'read public' access. I also tried adding 'Contacts'->'read', and 'Mail'->'read' permissions, but they didn't affect the result.

PS
Thanks for the update to use facebook 2.3 dialog!

Yes, AFAIK Yahoo does not provide the email address via OAuth APIs.

The the single sign-on login system used by PHP Classes (Icontem Accounts) supports Yahoo via OpenID.

I use an OpenID 2 client and server classes that I never published but I can publish if it helps you.

The system only supports providers that provide the email address. So Twitter is left out.

The unique identifier that each provider associates to each user is irrelevant. What I do is to always use the email address as the unique identifier.

I doubt that exists any provider that allows multiple accounts to use the same email address, so I think it is safe to use the email address as key. Therefore I would stick to OpenID.

I really appreciate your candid reply! It helps a lot to get confirmation of behaviors that seem odd, because it's very hard to know whether you're using the services correctly/fully since they all differ in subtle ways from each other, and they're constantly changing!

It seems to me that the problem with using the email address given by an identity provider as the unique identity of a user is that the user can change their email address with that provider. So my site uses the unique "identity string" given by the provider, because AFAIK that string never changes. My site does require a unique email address for each user, and it does default to the email address given by an identity provider if there is one available and that's how they registered with my site. But a user can change their email address on my site, and also change their email address with their provider, without affecting their login to my site through that provider.

Although I haven't yet implemented it, I also intend to allow a given user to login through more than one identity provider (where they might have different email addresses), as well as through an email address and password maintained by my site. The user must first register either with an explicit email/password, or else through one of several identity providers. Once they register, then they can login the same way they registered. And once logged in, then they can add or remove login methods for that account. They can remove their login through email address and password if they want to - I just won't let them remove *all* login methods. And I won't let them login to the same account through different identities from the same identity provider - at most one identity per provider, plus one explicit email/password.

In the case of twitter, I allow them to sign up through twitter without an email address. But upon each login to the site, I check for a missing email address, and keep redirecting to the edit account page to supply an email address until they have supplied an email address that is verified. So I think that's what I'll do with yahoo - use your class to get the GUID to register, and handle lack of an email address the same as for twitter.

I just don't think it's worth the effort to go through both OpenID and Oauth flows for a single signup, especially since it seems likely that OpenID will eventually go away completely given that the specification is no longer maintained.

Thanks again for your great support!

-Rich

Yes, you have a point, that may happen.

Anyway, in the case of Yahoo, don't they always return an email address that is of an Yahoo account? In that case, I suppose that won't change ever, right?

I honestly don't know about the email address, because I'm not an active user of yahoo. I only signed up for an account to be able to test signup with yahoo on my site. But it looks like that's the case - signing up for a yahoo account gives you a yahoo.com email address. You can add a different recovery email address in case you lose access to your account and your yahoo email so that there's another email address where they can send account recovery info, but the primary email address associated with the account remains the @yahoo.com you got when you signed up. So the scenario I described shouldn't/couldn't ever happen with yahoo.