Goodbye AOL; Hello Google!

Today is my last day at AOL.  I celebrated my binary millennial in February, and it's time to move on... to some exciting new things over at Google.  I'm going to continue to work in the community/social networking area and I plan to keep gently evangelizing user centric identity, REST, Atom, and feed technologies, among many other things.  And, yes, getting products out the door too.  It'll be fun.

I don't know yet if I'll continue using this blog; but regardless, http://abstractioneer.org will always resolve to where I'm blogging (anything can be solved with one level of indirection).  And =john.panzer will always reach me.


Iiw2007 wrap

Image from AOL Pictures

New Journals features: Video, pictures, mobile... and Atom!

The team just added some cool features to Journals last night.  There's a new button that lets you easily add pictures from various Flickr, your computer, AOL Pictures, or an arbitrary URL.  There's a video button that lets you upload a video to embed in your entry or About Me, or record directly from your webcam.  The latter uses the Userplane video recorder widget, which was a breeze to integrate with.  We're also highlighting our mobile posting feature at http://journals.aol.com, which lets you post via your cell phone (or email!) including pictures or video.  Here's a quick trick:  You can use this feature to integrate iPhoto with your blog; just choose to Share via email and put in your blog's email address.

We've also made some changes to our Atom API to bring it more into line with the draft APP standard; it's not 100% there yet but it's close and certainly usable.


At iiw2007a: Concordia (Eve Maler)

Image from AOL Pictures

Eve draws up a diagram showing how 'bootstrapping' works in SAML/Liberty WS.  Discussion ensues with many queries about Condordia.  More questions than answers, but I think that people have a lot of related/interlocking problems that need solving.

Starting from OpenID, it sounds to me like all these cases are a subset of the "access a service on behalf of a user" use case; hopefully solving either one will help with the other.


At IIW2007

I'm at IIW right now and also hacking away on OpenAuth and Blogs.  Which does make sense since the people I need to talk to about how it should work are mostly here, with the exception of Praveen, who for some inexplicable reason prefers France.

So far so good; this curl command posts a blog entry on my Atom blog service:

curl -k -v -sS --include --location-trusted --request POST --url'https://monotreme:4279/_atom/collection/blogssmoketester' --data@/tmp/ieRN0zhgh6 --header 'Content-Type: application/atom+xml;charset=utf-8' --header 'Authorization: OpenAuthtoken="%2FwEAAAAABYgbMtk4J7Zwqd8WHKjNF6fgJSYe4RhTuitkNyip%2BEru%2FY43vaGyE2fTlxKPAEkBC%2Bf5lhWg18CE2gaQtTVQy0rpillqtUVOOtrf1%2BLzE%2BNTcBuFJuLssU%2B6sc0%3D"devid="co1dDRMvlgZJXvWK"'

Note that the token, which gives authorization and authentication, is obtained with a separate login call to an internal OpenAuth server.  It looks like I need both the token and the devid; the devid essentially identifies the agent representing the user.

I should be able to post this curl command line with impunity because it shouldn't expose any private data, unlike the HTTP Basic Auth equivalent which exposes the user's password in nearly clear text.  This also implies that it should be possible to avoid using TLS.

Now, if I had a standard way to get a token for an OpenID session, I could pass that in like so:

Authorization: OpenID token="...."

And my server will advertise that it accepts all three -- Basic, OpenAuth, and OpenID.  I hope to talk with like minded people about this at IIW.


Sun += OpenID

Tim Bray just bloggedabout openid.sun.com, which is an identity provider for Sunemployees only.  Interesting!  Though technically one would like to beable to do independent assertions about user centric identities ("worksfor Sun" being a reasonable assertion one could make about anyidentity).  I suppose though that someone could use OP delegation topoint http://me.example.org to openid.sun.com and achieve part of thesame effect.  And in the end you'll need to rely on something likeopenid.sun.com to validate assertions presumably.


AOL OpenAuth and Atom Publishing Protocol

I'm looking to see how best to implement Atom-compatibleauthentication for AOL's OpenAuth service. The service provides ways for users to authenticate themselves and togrant permissions to services to do things such as read buddy lists onbehalf of a user.  These permissions are encapsulated in a portabletoken which can be passed around.  The primary use cases for thisinvolve pure web based AJAX applications, so making this something thata generic application can deal with isn't fully specified.

So, here are my thoughts.  Let's say the client has a token stringwhich encapsulates authentication and authorization.  They need to sendthis along with an Atom Publishing Protocol (APP) request. 

Windows Live and GData both implement custom RFC 2617 WWW-Authenticate:headerschemes.  Unfortunately they don't follow exactly the same pattern,or I'd just copy it.  But using RFC 2617 is clearly the right approachif the server can support it.  So here's a proposal:

If a client has an OpenAuth token, it sends an Authorization: header. The format looks like this:
Authorization: OpenAuth token="..."
where ... contains the base64-encoded token data (an opaque string,essentially).

When there is a problem, or the Authorization: header is missing, a401 response is returned with a WWW-Authenticate: header.
401 Need user consent
WWW-Authenticate: OpenAuth realm="RealmString",fault="NeedConsent",url="http://my.screenname.aol.com/blah?a=boof&b=zed&...."
where the status code contains a human readable message, and theWWW-Authenticate header contains the precise fault code -- NeedToken,NeedConsent, ExpiredToken.  If present, the urlparameter gives the URL of an HTML page which can be presented to theend user to login or grant permissions.  For example it can point to alogin page if the fault is NeedToken.  A client would then need to dothe following in response:
  1. Append a "&succUrl=..." parameter to the url, telling theOpenAuth service where to go when the user successfully logs in orgrants permission. 
  2. Open a web browser or browser widget control with the givencomposed URL, and present to the user.
  3. Be prepared to handle an invocation of the succUrl with anappended token parameter, giving a new token to use for subsequentrequests.
Note that the succUrl can be a javascript: URL, or a custom scheme(e.g., aim:) if your destination client is not a web browser.  Or itcould be pointing to a local web server(http://localhost:1080/openauthcallback.cgi) or perhaps other schemesto get the token from point A to point B.  Whatever method is chosen,eventually the client will receive an OpenAuth token that it can use totry (or re-try) the Atom request.

As a wrinkle, to enhance autodiscovery, perhaps we should allow an"Authorization: OpenAuth" header with no token on any request(including HEAD).  The server could then respond with a 401 andfault="NeedToken", telling the client what URL to use for loginauthentication.  The interesting thing about this is that the protocolis then truly not tied to any particular authentication service --anyone who implements this fairly simple protocol with opaque tokenscan then play with anyone else.  The whole thing could be built on topof OpenID, for example. 

Perhaps this doesn't quite work.  I notice that the Flickr APIs don'tdo this, and instead have non-browsers establish a session with aclient-generated unique key ("frob").  But this requires that users endup looking at a browser screen that tells them to return to theirapplication to re-try the request.  Which the above scheme couldcertainly do as well, by making the succUrl point at such a page.  Sois there a reason why Flickr doesn't redirect?  There's likely a gapingsecurity hole here that I'm just missing.