Skip to main content

AOL and OpenID: Where we are

It's not really a secret that AOL has been experimenting with OpenID.  As I've said, I think that user-centric, interoperable identity is hugely important to enable the social experiences we're trying to provide.  This is a work in progress, but things are coming along thanks to our authentication team's diligent effort.  Here's where we are today:
  • Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/<sn>.
  • This experimental OpenID 1.1 Provider service is available now and we are conducting compatibility tests.
  • We're working with OpenID relying parties to resolve compatibility issues.
  • Our blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier.  (No Yadis yet.)
  • We don't yet accept OpenID identities within our products as a relying party, but we're actively working on it.  That roll-out is likely to be gradual.
  • We are tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final.
Update:  Thanks for all the responses; I've posted a followup over on dev.aol.com.

Comments

  1. Awesome!

    There's a bug in Opera 9 Mac at the moment where I get a blank screen half way through an attempted sign-in (after I enter my username and password). Works great in Firefox though.

    ReplyDelete
  2. thats fantastic. to be clear, you don't have to be an AOL "customer" to use this service. an AIM "screenname", which is free to get, is sufficient. single-signon will transform the Internet and its awesome to see AOL adopt an open-standards approach.

    ReplyDelete
  3. I used Firefox to sign into OpenID wiki. I am able to enter the password, but then get a blank screen.

    ReplyDelete
  4. Just noted this over at http://activeanalysis.net - great job supporting a standard instead of pushing out just another proprietary authentication schema!

    One quick thing, the AOL OpenID Provider seems to work fine with site redirects after authentication in Firefox, but has issues with Safari.

    ReplyDelete
  5. This is awesome

    ReplyDelete
  6. Hooray!

    Awesome, I posted a comment to my LiveJournal blog, and it worked!  :-)

    ReplyDelete
  7. Could you _please_ implement using openid.aol.com as the openid_url users reveal to the relying party,  rather than insisting that they reveal the private information in openid.aol.com/gobal_id - it looks like your very close.

    ReplyDelete
  8. John,

    Many thanks for the info and congrats to you all at AOL for making this happen.  I have a question for you - have you or anyone else experienced the problem where during the initial login to openid.aol.com you are not shown the Grant/Deny screen but instead taken directly back to the application page (with access to your ID granted)?

    I wrote this up on my blog at:

     http://www.disruptivetelephony.com/2007/02/aol_openid_63_m.html

    but I'm not sure how precisely to send this in to you all outside of leaving a blog comment like this.  As I note, on subsequent uses of the AOL OpenID, I *am* prompted to Grant/Deny access to the ID to the requesting site, but on the initial login, I was taken right back to the app.  I don't know if anyone else can replicate this or if it is just my system.  I did try it in both Firefox 2 and IE 7 and it occurred in both.

    Thanks again for the info - and for implementing OpenID,
    Dan

    ReplyDelete
  9. So what is the openid.server and the openid.delegate to put in a "link rel"?  Or equivalently, what are the URI and the openid:Delegate values to put in my XRDS file?

    ReplyDelete
  10. Some quick answers:
    pegasusfalln:
    <link rel="openid.server" href="https://api.screenname.aol.com/auth/openidServer" >
    <link rel="openid.delegate" href="http://openid.aol.com/panzerjohn" >

    Should work on any web page -- stick your own AIM screen name at the end of openid.delegate.  Of course this does expose your screen name in the page (per axezephyr) and there's ongoing discussion about how best to deal with that.

    axezephyr - I need to double check but I think that this capability requires OpenID 2.0, which we are interesting in implementing when it's finalized.

    dyorkottawa - Seems to me it ought to at least document what you're granting access too (maybe in a page combined with the login one).  The UI experience is definitely something that needs a lot of working through.  Not sure what the status is here but I'll check.

    ReplyDelete

  11. Thanks for all your feedback. I tried to leave a comment on Dan York's blog but I always got server timeouts. So I am trying to post my response here:

    Regarding the first issue, we wanted to optimize the user experience so the user doesn't need to go through two pages and click twice (Sign in on login page and Grant on consent page). That's why when you are not already signed in, you will just see the login page, which assumes that by entering the SN/Pwd you are giving your consent to share your login with the 3rd party site (we need to work on the messaging). If you are already signed in at AOL, since we do not need to ask the user to enter SN/Pwd (SSO), we just display the consent page (w/ Grant/Deny options).

    OpenID1.1 spec doesn't include Logout method. There is no easy way for logout from OpenID provider unless you go to your own OpenID url and click signout from there. We will be adding the logout support pretty soon. As you have seen in John Panzer's post, we are still experimenting. It's very challenging to migrate existing systems from traditional Sign In/Out mechanisms to the new open standards.

    - Praveen Alavillli
    AOL Authentication

    ReplyDelete
  12. congratulations! That's great. I tried it out and it's a good start ;)

    ReplyDelete
  13. I would love to know who gave AOl permission for my screen name to be used this way?
    this means now that if anyone finds out my password for AIm, that they will be able to  go into any site that supports this OPENId thing.

    Not a good move and you should have given users the right to refuse this.

    ReplyDelete
  14. acs358 -- "this means now that if anyone finds out my password for AIm, that they will be able to  go into any site that supports this OPENId thing."

    We're very concerned about security and about the implications of identity theft.  But I don't think this changes your risk.  Even without OpenID, if your password is leaked, someone can do a lot of damage impersonating you.  They can read your email and send email as you (with webmail), they can upload illegal pictures and videos, they can of course send IM spam, they can copy your Buddy List, and a lot more.  So at the moment, OpenID is the least of your worries.  

    Actually, today many web sites accept your email address as an ID, and if someone has your AIM password, they also control your email address and mailbox, so you already have this problem.  Not sure that OpenID changes things much.

    Consider, though, what would happen if we did make this opt-in.  We'd do this in your personal profile, probably on www.aim.com.  To change the settings, you need to sign in with your AIM screen name and password... so if your password is leaked, an attacker can simply log in, opt in, and then go merrily on.

    As best as I can tell, if your password is leaked, you're in just as much trouble without OpenID as with it.  It's a good reason to protect your password.

    Let me know if I missed something.  Thanks!

    ReplyDelete
  15. This is indeed good news.   While trying to do some exploratory integration / interoperability work I found several issues.   First if the screen name is over a set number of chars many of the web interfaces truncate the value, however the openid.aol.com server doesn't, resulting in a page not found error.   Second during the authentication process after the submission of the login form there are times when  api.screenname.aol.com returns an HTTP Status OK with no content, when I would expect the authorization page, or a redirect back to the relying party with an error.   I can provide additional details via email if anyone is interested.

    ReplyDelete
  16. if its anything like securID we are all screwed...we all know how flawed that system is

    http://www.seriouslyfunnyvideos.com

    ReplyDelete
  17. Theoretically OpenID *is* opt-in automatically.  It only authenticates you on OpenID-enabled websites where you, personally, have originally asked it to do so.

    If you never use your AOL OpenID to register on a website, it can't be used to log into it, so it's as secure as you, personally, want it to be.

    If you want to use it, use it.
    If you do not want to use it or have others use it if they steal your password, then never use it and they'll never be able to either.

    ReplyDelete
  18. I have only just personally gone into discovering what Open ID is all about.  This is because the 3rd party message board/blog system that I use is determined (understandably) not to allow guest posting.  

    I am at the moment trying to convince them that Open ID would be a great compromise.  We are very limited on that system as forcing people to register with them just to leave the odd comment does put people off.  

    I think fear over someone getting hold of ones password and then going around other systems impersonating them is a little paranoid.  Getting hold of a password on any system can happen rarely but I don't see how the risk is higher with Open ID.  

    I personally think Open ID is the best thing since sliced bread.  It certainly saves all this registering on seperate systems all over the web.

    ReplyDelete
  19. how do u delete screen name on aol

    ReplyDelete

Post a Comment

Popular posts from this blog

The problem with creation date metadata in PDF documents

Last night Rachel Maddow talked about an apparently fake NSA document "leaked" to her organization.  There's a lot of info there, I suggest you listen to the whole thing:

http://www.msnbc.com/rachel-maddow/watch/maddow-to-news-orgs-heads-up-for-hoaxes-985491523709

There's a lot to unpack there but it looks like somebody tried to fool MSNBC into running with a fake accusation based on faked NSA documents, apparently based on cloning the document the Intercept published back on 6/5/2017, which to all appearances was itself a real NSA document in PDF form.

I think the main thrust of this story is chilling and really important to get straight -- some person or persons unknown is sending forged PDFs to news organization(s), apparently trying to get them to run stories based on forged documents.  And I completely agree with Maddow that she was right to send up a "signal flare" to all the news organizations to look out for forgeries.  Really, really, really import…

Personal Web Discovery (aka Webfinger)

There's a particular discovery problem for open and distributed protocols such as OpenID, OAuth, Portable Contacts, Activity Streams, and OpenSocial.  It seems like a trivial problem, but it's one of the stumbling blocks that slows mass adoption.  We need to fix it.  So first, I'm going to name it:

The Personal Web Discovery Problem:  Given a person, how do I find out what services that person uses?
This does sound trivial, doesn't it?  And it is easy as long as you're service-centric; if you're building on top of social network X, there is no discovery problem, or at least only a trivial one that can be solved with proprietary APIs.  But what if you want to build on top of X,Y, and Z?  Well, you write code to make the user log in to each one so you can call those proprietary APIs... which means the user has to tell you their identity (and probably password) on each one... and the user has already clicked the Back button because this is complicated and annoying.

Twister is interesting.  It's a decentralized "microblogging" system based on putting together existing protocols:  Bitcoin, distributed hash tables, and Bittorrent.  The most interesting part for me is using Bitcoin for user registration and spam control.  Federated systems handle this with federated trust, which is at least conceptually simple.  The Twister/Bitcoin mechanism looks intriguing though I don't know enough about Bitcoin to really comment.  Need to read further.