jrgm/gist:5200281

## gistfile1.diff
diff --git a/server/lib/passport_yahoo.js b/server/lib/passport_yahoo.js
index 2b4d7fb..9cac18c 100644
--- a/server/lib/passport_yahoo.js
+++ b/server/lib/passport_yahoo.js
@@ -71,7 +71,15 @@ exports.views = function(app) {
               session.clearBidUrl(req);

               session.setCurrentUser(req, email);
-              res.redirect(redirect_url);
+              if (config.get('env') === 'production') {
+                // In production, we run as 'http:'. But when we return this
+                // redirect to the client, we must declare it as 'https:'.
+                var full_url = util.format("https://%s%s",
+                                           config.get('issuer'), redirect_url);
+                res.redirect(full_url);
+              } else {
+                res.redirect(redirect_url);
+              }
               statsd.timing(metric, new Date() - start);
               return;
             }
	diff --git a/server/lib/passport_yahoo.js b/server/lib/passport_yahoo.js
	index 2b4d7fb..9cac18c 100644
	--- a/server/lib/passport_yahoo.js
	+++ b/server/lib/passport_yahoo.js
	@@ -71,7 +71,15 @@ exports.views = function(app) {
	session.clearBidUrl(req);

	session.setCurrentUser(req, email);
	- res.redirect(redirect_url);
	+ if (config.get('env') === 'production') {
	+ // In production, we run as 'http:'. But when we return this
	+ // redirect to the client, we must declare it as 'https:'.
	+ var full_url = util.format("https://%s%s",
	+ config.get('issuer'), redirect_url);
	+ res.redirect(full_url);
	+ } else {
	+ res.redirect(redirect_url);
	+ }
	statsd.timing(metric, new Date() - start);
	return;
	}