AOL OpenAuth

It's been a long time since we started saying we are going to support 3rd party OpenID logins into AOL Web Properties. I am sure everyone would be thinking what's going on (apart from a few who might have accidentally seen the OpenID login tab on AOL Account Management Site :-) ). So here is the scoop. We did finish the infrastructure work on the AOL login side, required to support 3rd party OpenID users to login into AOL, but being a pretty big company, we are struggling to get our Product teams to support it. But they are as usual busy implementing cool new features and functionality into their products that they haven't yet experimented with OpenID support yet via OpenAuth and internal AOL Authentication System (called Screen Name Service). Since the AOL Account Management site is something in our control, we went ahead and added OpenID support to it - even though user's cannot really do anything in there apart from changing their profile information.


We currently support OpenIDs from the following OpenID providers:

1. myopenid.com
2. claimid.com
3. livejournal.com
4. verisignlabs.com
5. myvauthid.com
6. openid.sun.com
7. myvidoop.com

We are open to accept OpenIDs from other providers too - so please contact us via AOL Developer Site with your information.

There has been no change to the AOL OpenIDs, all AOL/AIM users can still use their AOL ScreenNames as their OpenID (http://openid.aol.com/<screenname>).

We will soon update the OpenAuth documentation with some new changes.  Here is a quick list of some of them (already implemented and deployed on our production servers):

• You can request OpenAuth login page to show AOL, ICQ and OpenID login forms as required (anyone of them or combination of them or all)
• New mini version of Login page that would fit on mobile browsers
• OpenAuth Login page is now iPhone compatible too !
• OpenID Relying Party support, so Web-Apps integrating with OpenAuth do not need to worry about implementing multiple protocols.

We will let you know as soon as we an AOL Service that starts accepting 3rd Party OpenIDs  - well apart from ficlets.com and circavie.com, which already support OpenIDs but without using OpenAuth.

- Praveen


openauth at 5:40:44 PM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 2 comments: Show Recent | Add your own

It's great to see James Burke (an AOL Employee and open source dojo library contributer) building an AIM client for iPhone using OpenAuth and WebAIM.
More here in his blog.

One good news for him and the future TinyBuddy users is, we are building "mini" versions of OpenAuth SignIn and Consent pages. So very soon it would be more user friendly.

- Praveen


openauth at 8:45:47 AM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 1 comments: Show Recent | Add your own

During the Catalyst conference some people asked me why did we implement OpenAuth when we want to use open standards. It was a great question, which I think I should have clarified in my session. Anyway the answer is very simple and straight.

•  OpenID doesn't support all the use cases we need to support as per our business needs (mainly service level fine grain consent management, Service Invocation and not but not least more AJAX friendly than OpenID)
•  SAML/Liberty is too complex to implement for simple Web 2.0 web-apps, which are mostly built using simple scripting languages like Javascript or using new languages like Ruby for which there are no production quality SAML packages yet. And ofcourse we all know that SAML is too heavy for low value web transactions. That said, I would like to point out that we do use SAML for high value transactions between AOL and trusted Partners that are in business relationship with us.
•  CardSpace is still in it's very early stages. It's a completely new visual paradigm and would take users some time before they understand how it works and use it. Also currently it depends on specific Windows .Net framework and the new Vista. Support for other platforms (OSIS project) is still in the very early stages too. Also even when CardSpace is widely deployed and supported, with the existing model of invoking CardSpace selector for each and every app/site is not a good idea in terms of user experience. So we would still have to maintain some SSO protocol on our end to achieve seamless single sign ons.

Our goal with OpenAuth is to show what we ( I am very sure most of the other Identity Providers too) need (use-cases) in the Web 2.0 world and a way of solving them. We would be more than happy to work with (infact we are already) the web communities and tech groups to extend the existing Open protocols to support these use cases.  George Fletcher also presented some of these use cases at the Concordia Project Workshop in the Catalyst conference earlier this week.

- Praveen


openauth at 1:24:06 PM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 0 comments: Add your own

Several people have asked which OpenAuth method they should use to authenticate AOL/AIM users into their web app/sites. So I thought it would be good if I clarify it here. We will see how we can improve our documentation so it's more clear about when to use directLogin vs login method.

The directLogin was mainly designed for trusted applications (mainly desktop clients than web sites). When I say trusted, I mean in some business relationship with AOL and ofcourse only when it makes sense (both technically and user experience wise) to allow them collect AOL/AIM user's login credentials (SN/Pwd). As you all know, it's not a good practice to educate users to enter their credentials in any client or web site, otherwise it makes it very easy for the black hats to phish users. So before you request for access to directLogin method, please think about what your use-cases are.

The login was designed for web sites/apps and it also gets you the same authentication token as directLogin that can be used to invoke other AOL services. Most of the web sites/apps can just use our login method (via browser redirect) to send the users to OpenAuth login page to authenticate and get an authentication token back from OpenAuth. In this way, the users would always be asked to enter their login credentials from the same place (url) and page (ui), which helps them detect phishing sites asking for their login credentials.

So before you send us the request for access to directLogin, please think about your use-cases, and whether it makes sense to ask the user to enter their AOL/AIM credentials on your site or not. If you think it's the right way to go, please include your analysis and use-cases in your request email so we can quickly understand what you are trying to do and take necessary steps to provision your devId accordingly.

- Praveen


openauth at 3:14:17 PM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 0 comments: Add your own

George Fletcher and I will be at the Burton Group Catalyst Conference next week. It's a great conference to attend if you are interested in Digital Identity. Even though the conference is all about enterprise technologies - Identity is still one of most important aspects of the conference. I will be talking about "Open Identity at AOL" on 27th (wed) at 3:10 PM. My session will be about how and why AOL is adopting Open Identity protocols and standards like OpenID, CardSpace, and SAML - the lessons we learned, the challenges faced and the open issues still to be solved. George would be representing AOL in a Panel discussion on "Protocol Preferences Aside: How's All This Stuff Going to Work Together?". George would also be attending the"Concordia Project Workshop" talking about the kind of use cases we are trying to solve and would like to see solved by the new Open Identity Protocols and the interoperability between them.

If you are going to be at the conference next week, and want to talk about anything (even to say 'hi' :-)), we would be more than happy.

openauth at 11:18:08 PM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 0 comments: Add your own

[cross post from dev.aol.com]

It's been a while since we spoke about how things are going in the OpenAuth side. So let me get you all up to speed. :-)

We have got very good feedback from several people. We are happy to see people not only using our APIs, but also building open source toolkits & modules. We have updated the Ruby on Rails samplecode on the OpenAuth site (Many thanks to Tony).There is a new Perl module written by Tatsuhiko Miyagawa to use our APIs to authenticate users into perl based web applications. John Panzer proposed a way to incorporate  OpenAuth into Atom Publishing protocol, which I think is being implemented by the AOL Journals team (need to confirm but I am sure John played around with it while he was still working for AOL) and was also implemented by a 3rd party developer as a proof of concept in his application (unfortunately I can't find more details now but will try to find out and update soon).

At the last IIW, Srinivas from my team led discussions around Token Exchange extension to OpenId (George's blog entry) and OpenAuth in general, which led to several discussions around

• how to bridge Web Apps/Sites and Open Services world whenusingOpenId,
• the need to have a simple and open user consent model, and
• how to solve Identity, Authentication and Authorization forsimple Web 2.0 applications all under user's control.
   

We will be implementing our Token Exchange extension proposal as part  of our next phase and publish the document soon.

Coming to what we are working on currently, we have been quite busy implementing OpenID Relying Party (Consumer) support as part of our OpenAuth Servers. The idea is to get the infrastructure updated to support 3rd party Identities at AOL, which I usually call "Simple and Open" Federated accounts. Once this is in place, any one (including AOL properties and 3rd party web apps) using OpenAuth could benefit from opening up their web applications accessible for not just AOL/AIM/ICQ users, but also to all OpenID users (that we can reliably verify) out there.

Also as you might have heard, we now also support the Verisign'sSeatbelt plugin for firefox (IE version is underway) that helps in protecting OpenId user's from phishing attacks. As per the Verisign team, the Seatbelt plugin will be pushed to the FireFox extensions site soon and will be available for anyone to download and install in their Firefox browsers.

Well, we will keep you posted about our progress. Meanwhile, please do send us your feedback and also any new features/functionality that you would like to see supported in our OpenAuth API.

- Praveen


openauth at 8:33:26 PM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 2 comments: Show Recent | Add your own

I will be talking about user-centric identity and how AOL adapted (well ongoing process I should say) new protocols to open up AOL Authentication Service to the rest of the world. The session with title "Mashing Up with User-Centric Identity" will be on  Thursday, May 17 at 17:45 hrs.  Here is what the session is all about:

"In a Web 2.0 world, users combine services from many providers. Having a common identity across providers eliminates a barrier to entry and adopting a user-centric identity system puts the user in control of how their information is combined. This session is about the opportunities and issues involved specifically with adopting open protocols, the solutions they provide, and open issues that remain to be solved. These include user experience, permission management, and mashup API authentication and how AOL's new Open Authentication (OpenAuth) API addresses them."

openauth at 10:02:26 AM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 0 comments: Add your own

Well as most of you already know, John Panzer and I did a session on "Mashing up with user centric identity" yesterday (4/18) in the Web 2.0 Expo at Moscone West, San Francisco.  You can download our presentation deck from AOL Developer Network website.

- Praveen


openauth at 8:18:15 AM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 1 comments: Show Recent | Add your own

openauth at 10:19:11 AM EDT Permalink | Blog about this entry |  Add to del.icio.us |  digg this This entry has 0 comments: Add your own