2007/02/14

AOL and OpenID: Where we are

It's not really a secret that AOL has been experimenting with OpenID.  As I've said, I think that user-centric, interoperable identity is hugely important to enable the social experiences we're trying to provide.  This is a work in progress, but things are coming along thanks to our authentication team's diligent effort.  Here's where we are today:
  • Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/<sn>.
  • This experimental OpenID 1.1 Provider service is available now and we are conducting compatibility tests.
  • We're working with OpenID relying parties to resolve compatibility issues.
  • Our blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier.  (No Yadis yet.)
  • We don't yet accept OpenID identities within our products as a relying party, but we're actively working on it.  That roll-out is likely to be gradual.
  • We are tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final.
Update:  Thanks for all the responses; I've posted a followup over on dev.aol.com.

17 comments:

  1. Awesome!

    There's a bug in Opera 9 Mac at the moment where I get a blank screen half way through an attempted sign-in (after I enter my username and password). Works great in Firefox though.

    ReplyDelete
  2. thats fantastic. to be clear, you don't have to be an AOL "customer" to use this service. an AIM "screenname", which is free to get, is sufficient. single-signon will transform the Internet and its awesome to see AOL adopt an open-standards approach.

    ReplyDelete
  3. I used Firefox to sign into OpenID wiki. I am able to enter the password, but then get a blank screen.

    ReplyDelete
  4. Hooray!

    Awesome, I posted a comment to my LiveJournal blog, and it worked!  :-)

    ReplyDelete
  5. Could you _please_ implement using openid.aol.com as the openid_url users reveal to the relying party,  rather than insisting that they reveal the private information in openid.aol.com/gobal_id - it looks like your very close.

    ReplyDelete
  6. So what is the openid.server and the openid.delegate to put in a "link rel"?  Or equivalently, what are the URI and the openid:Delegate values to put in my XRDS file?

    ReplyDelete
  7. Some quick answers:
    pegasusfalln:
    <link rel="openid.server" href="https://api.screenname.aol.com/auth/openidServer" >
    <link rel="openid.delegate" href="http://openid.aol.com/panzerjohn" >

    Should work on any web page -- stick your own AIM screen name at the end of openid.delegate.  Of course this does expose your screen name in the page (per axezephyr) and there's ongoing discussion about how best to deal with that.

    axezephyr - I need to double check but I think that this capability requires OpenID 2.0, which we are interesting in implementing when it's finalized.

    dyorkottawa - Seems to me it ought to at least document what you're granting access too (maybe in a page combined with the login one).  The UI experience is definitely something that needs a lot of working through.  Not sure what the status is here but I'll check.

    ReplyDelete

  8. Thanks for all your feedback. I tried to leave a comment on Dan York's blog but I always got server timeouts. So I am trying to post my response here:

    Regarding the first issue, we wanted to optimize the user experience so the user doesn't need to go through two pages and click twice (Sign in on login page and Grant on consent page). That's why when you are not already signed in, you will just see the login page, which assumes that by entering the SN/Pwd you are giving your consent to share your login with the 3rd party site (we need to work on the messaging). If you are already signed in at AOL, since we do not need to ask the user to enter SN/Pwd (SSO), we just display the consent page (w/ Grant/Deny options).

    OpenID1.1 spec doesn't include Logout method. There is no easy way for logout from OpenID provider unless you go to your own OpenID url and click signout from there. We will be adding the logout support pretty soon. As you have seen in John Panzer's post, we are still experimenting. It's very challenging to migrate existing systems from traditional Sign In/Out mechanisms to the new open standards.

    - Praveen Alavillli
    AOL Authentication

    ReplyDelete
  9. congratulations! That's great. I tried it out and it's a good start ;)

    ReplyDelete
  10. I would love to know who gave AOl permission for my screen name to be used this way?
    this means now that if anyone finds out my password for AIm, that they will be able to  go into any site that supports this OPENId thing.

    Not a good move and you should have given users the right to refuse this.

    ReplyDelete
  11. acs358 -- "this means now that if anyone finds out my password for AIm, that they will be able to  go into any site that supports this OPENId thing."

    We're very concerned about security and about the implications of identity theft.  But I don't think this changes your risk.  Even without OpenID, if your password is leaked, someone can do a lot of damage impersonating you.  They can read your email and send email as you (with webmail), they can upload illegal pictures and videos, they can of course send IM spam, they can copy your Buddy List, and a lot more.  So at the moment, OpenID is the least of your worries.  

    Actually, today many web sites accept your email address as an ID, and if someone has your AIM password, they also control your email address and mailbox, so you already have this problem.  Not sure that OpenID changes things much.

    Consider, though, what would happen if we did make this opt-in.  We'd do this in your personal profile, probably on www.aim.com.  To change the settings, you need to sign in with your AIM screen name and password... so if your password is leaked, an attacker can simply log in, opt in, and then go merrily on.

    As best as I can tell, if your password is leaked, you're in just as much trouble without OpenID as with it.  It's a good reason to protect your password.

    Let me know if I missed something.  Thanks!

    ReplyDelete
  12. This is indeed good news.   While trying to do some exploratory integration / interoperability work I found several issues.   First if the screen name is over a set number of chars many of the web interfaces truncate the value, however the openid.aol.com server doesn't, resulting in a page not found error.   Second during the authentication process after the submission of the login form there are times when  api.screenname.aol.com returns an HTTP Status OK with no content, when I would expect the authorization page, or a redirect back to the relying party with an error.   I can provide additional details via email if anyone is interested.

    ReplyDelete
  13. if its anything like securID we are all screwed...we all know how flawed that system is

    http://www.seriouslyfunnyvideos.com

    ReplyDelete
  14. Theoretically OpenID *is* opt-in automatically.  It only authenticates you on OpenID-enabled websites where you, personally, have originally asked it to do so.

    If you never use your AOL OpenID to register on a website, it can't be used to log into it, so it's as secure as you, personally, want it to be.

    If you want to use it, use it.
    If you do not want to use it or have others use it if they steal your password, then never use it and they'll never be able to either.

    ReplyDelete
  15. I have only just personally gone into discovering what Open ID is all about.  This is because the 3rd party message board/blog system that I use is determined (understandably) not to allow guest posting.  

    I am at the moment trying to convince them that Open ID would be a great compromise.  We are very limited on that system as forcing people to register with them just to leave the odd comment does put people off.  

    I think fear over someone getting hold of ones password and then going around other systems impersonating them is a little paranoid.  Getting hold of a password on any system can happen rarely but I don't see how the risk is higher with Open ID.  

    I personally think Open ID is the best thing since sliced bread.  It certainly saves all this registering on seperate systems all over the web.

    ReplyDelete
  16. how do u delete screen name on aol

    ReplyDelete

Suspended by the Baby Boss at Twitter

Well!  I'm now suspended from Twitter for stating that Elon's jet was in London recently.  (It was flying in the air to Qatar at the...