AOL OpenAuth

AOL & OpenID - Status Update

Tue, 14 Aug 2007 21:40:44 GMT

It's been a long time since we started saying we are going to support 3rd party OpenID logins into AOL Web Properties. I am sure everyone would be thinking what's going on (apart from a few who might have accidentally seen the OpenID login tab on AOL Account Management Site :-) ). So here is the scoop. We did finish the infrastructure work on the AOL login side, required to support 3rd party OpenID users to login into AOL, but being a pretty big company, we are struggling to get our Product teams to support it. But they are as usual busy implementing cool new features and functionality into their products that they haven't yet experimented with OpenID support yet via OpenAuth and internal AOL Authentication System (called Screen Name Service). Since the AOL Account Management site is something in our control, we went ahead and added OpenID support to it - even though user's cannot really do anything in there apart from changing their profile information.

We currently support OpenIDs from the following OpenID providers:

myopenid.com
claimid.com
livejournal.com
verisignlabs.com
myvauthid.com
openid.sun.com
myvidoop.com

We are open to accept OpenIDs from other providers too - so please contact us via AOL Developer Site with your information.

There has been no change to the AOL OpenIDs, all AOL/AIM users can still use their AOL ScreenNames as their OpenID (http://openid.aol.com/<screenname>).

We will soon update the OpenAuth documentation with some new changes. Here is a quick list of some of them (already implemented and deployed on our production servers):

You can request OpenAuth login page to show AOL, ICQ and OpenID login forms as required (anyone of them or combination of them or all)
New mini version of Login page that would fit on mobile browsers

OpenAuth Login page is now iPhone compatible too !

OpenID Relying Party support, so Web-Apps integrating with OpenAuth do not need to worry about implementing multiple protocols.

We will let you know as soon as we an AOL Service that starts accepting 3rd Party OpenIDs - well apart from ficlets.com and circavie.com, which already support OpenIDs but without using OpenAuth.

- Praveen

Tags: AOL OpenID OpenAuth

Instant Messaging for iPhone w/ OpenAuth & WebAIM

Sat, 07 Jul 2007 12:45:47 GMT

It's great to see James Burke (an AOL Employee and open source dojo library contributer) building an AIM client for iPhone using OpenAuth and WebAIM.
More here in his blog.

One good news for him and the future TinyBuddy users is, we are building "mini" versions of OpenAuth SignIn and Consent pages. So very soon it would be more user friendly.

- Praveen

Tags: Tinybuddy, WebAIM, OpenAuth, AOL, dojo

Why OpenAuth ?

Thu, 28 Jun 2007 17:24:06 GMT

During the Catalyst conference some people asked me why did we implement OpenAuth when we want to use open standards. It was a great question, which I think I should have clarified in my session. Anyway the answer is very simple and straight.

OpenID doesn't support all the use cases we need to support as per our business needs (mainly service level fine grain consent management, Service Invocation and not but not least more AJAX friendly than OpenID)
SAML/Liberty is too complex to implement for simple Web 2.0 web-apps, which are mostly built using simple scripting languages like Javascript or using new languages like Ruby for which there are no production quality SAML packages yet. And ofcourse we all know that SAML is too heavy for low value web transactions. That said, I would like to point out that we do use SAML for high value transactions between AOL and trusted Partners that are in business relationship with us.
CardSpace is still in it's very early stages. It's a completely new visual paradigm and would take users some time before they understand how it works and use it. Also currently it depends on specific Windows .Net framework and the new Vista. Support for other platforms (OSIS project) is still in the very early stages too. Also even when CardSpace is widely deployed and supported, with the existing model of invoking CardSpace selector for each and every app/site is not a good idea in terms of user experience. So we would still have to maintain some SSO protocol on our end to achieve seamless single sign ons.

Our goal with OpenAuth is to show what we ( I am very sure most of the other Identity Providers too) need (use-cases) in the Web 2.0 world and a way of solving them. We would be more than happy to work with (infact we are already) the web communities and tech groups to extend the existing Open protocols to support these use cases. George Fletcher also presented some of these use cases at the Concordia Project Workshop in the Catalyst conference earlier this week.

- Praveen

Tags: aol openauth, BurtonGroupCatalyst07

directLogin Vs login in OpenAuth

Wed, 27 Jun 2007 19:14:17 GMT

Several people have asked which OpenAuth method they should use to authenticate AOL/AIM users into their web app/sites. So I thought it would be good if I clarify it here. We will see how we can improve our documentation so it's more clear about when to use directLogin vs login method.

The directLogin was mainly designed for trusted applications (mainly desktop clients than web sites). When I say trusted, I mean in some business relationship with AOL and ofcourse only when it makes sense (both technically and user experience wise) to allow them collect AOL/AIM user's login credentials (SN/Pwd). As you all know, it's not a good practice to educate users to enter their credentials in any client or web site, otherwise it makes it very easy for the black hats to phish users. So before you request for access to directLogin method, please think about what your use-cases are.

The login was designed for web sites/apps and it also gets you the same authentication token as directLogin that can be used to invoke other AOL services. Most of the web sites/apps can just use our login method (via browser redirect) to send the users to OpenAuth login page to authenticate and get an authentication token back from OpenAuth. In this way, the users would always be asked to enter their login credentials from the same place (url) and page (ui), which helps them detect phishing sites asking for their login credentials.

So before you send us the request for access to directLogin, please think about your use-cases, and whether it makes sense to ask the user to enter their AOL/AIM credentials on your site or not. If you think it's the right way to go, please include your analysis and use-cases in your request email so we can quickly understand what you are trying to do and take necessary steps to provision your devId accordingly.

- Praveen

Tags: AOL, OpenAuth, directLogin, login, AOL OpenAuth

Burton Group Catalyst Conference - June 25-29 SFO

Thu, 21 Jun 2007 03:18:08 GMT

George Fletcher and I will be at the Burton Group Catalyst Conference next week. It's a great conference to attend if you are interested in Digital Identity. Even though the conference is all about enterprise technologies - Identity is still one of most important aspects of the conference. I will be talking about "Open Identity at AOL" on 27th (wed) at 3:10 PM. My session will be about how and why AOL is adopting Open Identity protocols and standards like OpenID, CardSpace, and SAML - the lessons we learned, the challenges faced and the open issues still to be solved. George would be representing AOL in a Panel discussion on "Protocol Preferences Aside: How's All This Stuff Going to Work Together?". George would also be attending the"Concordia Project Workshop" talking about the kind of use cases we are trying to solve and would like to see solved by the new Open Identity Protocols and the interoperability between them.

If you are going to be at the conference next week, and want to talk about anything (even to say 'hi' :-)), we would be more than happy.

- Praveen

Tags: BurtonGroupCatalyst07

OpenAuth Update - June 2007

Tue, 19 Jun 2007 00:33:26 GMT

[cross post from dev.aol.com]

It's been a while since we spoke about how things are going in the OpenAuth side. So let me get you all up to speed. :-)

We have got very good feedback from several people. We are happy to see people not only using our APIs, but also building open source toolkits & modules. We have updated the Ruby on Rails samplecode on the OpenAuth site (Many thanks to Tony).There is a new Perl module written by Tatsuhiko Miyagawa to use our APIs to authenticate users into perl based web applications. John Panzer proposed a way to incorporate OpenAuth into Atom Publishing protocol, which I think is being implemented by the AOL Journals team (need to confirm but I am sure John played around with it while he was still working for AOL) and was also implemented by a 3rd party developer as a proof of concept in his application (unfortunately I can't find more details now but will try to find out and update soon).

At the last IIW, Srinivas from my team led discussions around Token Exchange extension to OpenId (George's blog entry) and OpenAuth in general, which led to several discussions around

how to bridge Web Apps/Sites and Open Services world whenusingOpenId,
the need to have a simple and open user consent model, and
how to solve Identity, Authentication and Authorization forsimple Web 2.0 applications all under user's control.

We will be implementing our Token Exchange extension proposal as part of our next phase and publish the document soon.

Coming to what we are working on currently, we have been quite busy implementing OpenID Relying Party (Consumer) support as part of our OpenAuth Servers. The idea is to get the infrastructure updated to support 3rd party Identities at AOL, which I usually call "Simple and Open" Federated accounts. Once this is in place, any one (including AOL properties and 3rd party web apps) using OpenAuth could benefit from opening up their web applications accessible for not just AOL/AIM/ICQ users, but also to all OpenID users (that we can reliably verify) out there.

Also as you might have heard, we now also support the Verisign'sSeatbelt plugin for firefox (IE version is underway) that helps in protecting OpenId user's from phishing attacks. As per the Verisign team, the Seatbelt plugin will be pushed to the FireFox extensions site soon and will be available for anyone to download and install in their Firefox browsers.

Well, we will keep you posted about our progress. Meanwhile, please do send us your feedback and also any new features/functionality that you would like to see supported in our OpenAuth API.

- Praveen

Tags: AOL, OpenAuth, OpenID

XTech 2007, Paris

Thu, 26 Apr 2007 14:02:26 GMT

I will be talking about user-centric identity and how AOL adapted (well ongoing process I should say) new protocols to open up AOL Authentication Service to the rest of the world. The session with title "Mashing Up with User-Centric Identity" will be on Thursday, May 17 at 17:45 hrs. Here is what the session is all about:

"In a Web 2.0 world, users combine services from many providers. Having a common identity across providers eliminates a barrier to entry and adopting a user-centric identity system puts the user in control of how their information is combined. This session is about the opportunities and issues involved specifically with adopting open protocols, the solutions they provide, and open issues that remain to be solved. These include user experience, permission management, and mashup API authentication and how AOL's new Open Authentication (OpenAuth) API addresses them."

- Praveen

Tags: xtech, xtech2007, aol, openauth

Web2.0 Expo

Thu, 19 Apr 2007 12:18:15 GMT

Well as most of you already know, John Panzer and I did a session on "Mashing up with user centric identity" yesterday (4/18) in the Web 2.0 Expo at Moscone West, San Francisco. You can download our presentation deck from AOL Developer Network website .

- Praveen

Tags: aol openauth web20expo web20expo07 openid identity user-centric-identity

AOL Launches Open Authentication (OpenAuth) Service

Mon, 16 Apr 2007 14:19:11 GMT

After many months of work, we've finally posted the documentation for AOL's Open Authentication APIs at dev.aol.com/openauth! This is an exciting day for the authentication development team, but even more exciting for us as a company because it further proves the company's commitment to open protocols.

On the development front we've very proud of the new APIs and the interesting applications they make possible. Yes there are other "open" APIs out there. But we think we've got an innovative approach that isn't matched elsewhere. With AOL Open Authentication, a user can be authenticated and an authentication token returned to a site or AJAX application. What's interesting is that the application can then interact with other AOL services on behalf of the user. If the user hasn't given permission (granted consent) to that 3rd party, an exception is returned and a URL can be loaded that prompts the user for said consent.

We'll probably get some questions about why we invented another proprietary, albeit open, authentication protocol. Especially since we recently announced support for OpenId. Does AOL Open Authentication mean we're not committed to OpenId? The answer to that is an emphatic No! It does NOT mean we're backing off from our OpenId position. In fact, our goal is to use open protocols whenever possible, and being fans of OpenId that's our preference. But OpenId does not currently support the breadth of use cases we must support, particularly service invocation or consent management. That said, we are working on a prototype extension to OpenId intended to cover some of those additional use cases.

On the company front, we're very happy because we think these APIs, and others in the pipeline, cement AOL's commitment to being "open" and providing APIs for different services. The internal buzz we hear from our developer kin in other groups about providing APIs to different services and AOL's growing involvement with developer communities is starting to give us some great momentum, as we continue to build on our new strategy. And that's great news to us.

- OpenAuth Team

Tags: aol, aol developer network, openauth, aol open authentication