Yahoo! BBAuth for blog comment authentication

In case you missed it, Yahoo! released their Yahoo! Browser-Based Authentication (BBAuth) to the world to use. For web properties that integrate it, it provides a Single Sign-On (SSO) facility so you can log into other sites–like this blog–using your existing Yahoo! username, instead of creating a new account here.

I’ve gone ahead and spent the hour to integrate it into my blog comments system, so now you can authenticate using your Yahoo! ID and leave comments here.

One caveat for early integrators: Yahoo! BBAuth expects the “sig” signature to be all lowercase. If your MD5 function returns the hash as an uppercase hexadecimal value, Yahoo! BBAuth will complain in a non-obvious way. I discovered this through a bit of trial and error–mostly error, and head-scratching. I eventually squashed my MD5 hash to lowercase and everything worked great.

Here’s just another attempt on my part to lower the bar to make it easier for everyone to leave comments. :-)



  1. Weird… It says I’m logged in as yahoo_.g213gjjsdkj, or some such, but I still filled out my name & email as well as a captcha. I haven’t had a chance to read up on the BBAuth service, but what benefit does authenticating here give?

  2. l.m.orchard: There’s really little benefit for you … it’s mostly a benefit for me, trying to defeat spammers. Unauthenticated comments here are held for moderation, but if you authenticate, they get posted right away. This doesn’t “stop” spammers, but at least gives me some limited ability to ban them.

    Maybe there’s some way for me to make authenticating here slightly more useful: enable folks to subscribe to email notifications for entries where they’ve commented, etc. But, I don’t think I have enough readership yet to make that worth it.

    Any suggestions?

  3. Nice — this is linked from Jeremy Zawodny’s linkblog. Expect more traffic.

  4. Joe: yeah, I’m seeing a lot of folks are finding this blog entry through Jeremy’s linkblog and a few other sites that have linked to me. (Thanks for the link-love, everyone.)

    What I’m really surprised about is that more people haven’t tried logging in using the BBAuth and leaving a comment here, just to see how it all works.

  5. Glen Brydon says

    Okay Dossy,
    I’ve taken the bait and logged in with my Yahoo ID.

    I’m trying to link to you via Linked In. I’ve noticed a lot of my former colleagues are doing this and I kind of find it interesting to see who I can connect to in this way.


  6. Hi, Glen … looks like it worked for you! Cool.

    re: LinkedIn … sure, go ahead and send me an invite to connect.

  7. Lets see if this BBAuth works. It sure appears to. Should I still have to fill out the letters to prevent spam?? Doesn’t the authentication through BBAuth mitigate or eliminate the risk of spammers?

  8. Julio: Not really, no. The CAPTCHA still prevents a spammer from signing up one Y! ID and using it to mechanically leave hundreds of comments on my blog.

    Authentication vs. authorization, I guess. The upside of folks using their Y! ID’s to authenticate is so that I can de-authorize them from leaving comments, if they turn out to be a spammer.

  9. says


  10. Lisa: What were you testing?

  11. Nice work man,

  12. Ah, this reminds me … I need to point out that my blog uses Gravatars (those little image icons on the right-hand side of people’s comments), too. It’s interesting to see who does and doesn’t have one set up for themselves.

  13. Cool BBauth and gravatar integration. We’re looking to add bbauth to our site as well.

  14. Justin: Menuism looks cool. Good luck with that! (Is it another “did it ourselves in RoR” site?)

Speak Your Mind