Wednesday, February 14, 2007

AOL and OpenID: Where we are

It's not really a secret that AOL has been experimenting with OpenID.  As I've said, I think that user-centric, interoperable identity is hugely important to enable the social experiences we're trying to provide.  This is a work in progress, but things are coming along thanks to our authentication team's diligent effort.  Here's where we are today:
  • Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/<sn>.
  • This experimental OpenID 1.1 Provider service is available now and we are conducting compatibility tests.
  • We're working with OpenID relying parties to resolve compatibility issues.
  • Our blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier.  (No Yadis yet.)
  • We don't yet accept OpenID identities within our products as a relying party, but we're actively working on it.  That roll-out is likely to be gradual.
  • We are tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final.
Update:  Thanks for all the responses; I've posted a followup over on dev.aol.com.

18 comments:

Anonymous said...

Awesome!

There's a bug in Opera 9 Mac at the moment where I get a blank screen half way through an attempted sign-in (after I enter my username and password). Works great in Firefox though.

Anonymous said...

thats fantastic. to be clear, you don't have to be an AOL "customer" to use this service. an AIM "screenname", which is free to get, is sufficient. single-signon will transform the Internet and its awesome to see AOL adopt an open-standards approach.

Anonymous said...

I used Firefox to sign into OpenID wiki. I am able to enter the password, but then get a blank screen.

Anonymous said...

Just noted this over at http://activeanalysis.net - great job supporting a standard instead of pushing out just another proprietary authentication schema!

One quick thing, the AOL OpenID Provider seems to work fine with site redirects after authentication in Firefox, but has issues with Safari.

Anonymous said...

This is awesome

Anonymous said...

Hooray!

Awesome, I posted a comment to my LiveJournal blog, and it worked!  :-)

Anonymous said...

Could you _please_ implement using openid.aol.com as the openid_url users reveal to the relying party,  rather than insisting that they reveal the private information in openid.aol.com/gobal_id - it looks like your very close.

Anonymous said...

John,

Many thanks for the info and congrats to you all at AOL for making this happen.  I have a question for you - have you or anyone else experienced the problem where during the initial login to openid.aol.com you are not shown the Grant/Deny screen but instead taken directly back to the application page (with access to your ID granted)?

I wrote this up on my blog at:

 http://www.disruptivetelephony.com/2007/02/aol_openid_63_m.html

but I'm not sure how precisely to send this in to you all outside of leaving a blog comment like this.  As I note, on subsequent uses of the AOL OpenID, I *am* prompted to Grant/Deny access to the ID to the requesting site, but on the initial login, I was taken right back to the app.  I don't know if anyone else can replicate this or if it is just my system.  I did try it in both Firefox 2 and IE 7 and it occurred in both.

Thanks again for the info - and for implementing OpenID,
Dan

Anonymous said...

So what is the openid.server and the openid.delegate to put in a "link rel"?  Or equivalently, what are the URI and the openid:Delegate values to put in my XRDS file?

Anonymous said...

Some quick answers:
pegasusfalln:
<link rel="openid.server" href="https://api.screenname.aol.com/auth/openidServer" >
<link rel="openid.delegate" href="http://openid.aol.com/panzerjohn" >

Should work on any web page -- stick your own AIM screen name at the end of openid.delegate.  Of course this does expose your screen name in the page (per axezephyr) and there's ongoing discussion about how best to deal with that.

axezephyr - I need to double check but I think that this capability requires OpenID 2.0, which we are interesting in implementing when it's finalized.

dyorkottawa - Seems to me it ought to at least document what you're granting access too (maybe in a page combined with the login one).  The UI experience is definitely something that needs a lot of working through.  Not sure what the status is here but I'll check.

Anonymous said...


Thanks for all your feedback. I tried to leave a comment on Dan York's blog but I always got server timeouts. So I am trying to post my response here:

Regarding the first issue, we wanted to optimize the user experience so the user doesn't need to go through two pages and click twice (Sign in on login page and Grant on consent page). That's why when you are not already signed in, you will just see the login page, which assumes that by entering the SN/Pwd you are giving your consent to share your login with the 3rd party site (we need to work on the messaging). If you are already signed in at AOL, since we do not need to ask the user to enter SN/Pwd (SSO), we just display the consent page (w/ Grant/Deny options).

OpenID1.1 spec doesn't include Logout method. There is no easy way for logout from OpenID provider unless you go to your own OpenID url and click signout from there. We will be adding the logout support pretty soon. As you have seen in John Panzer's post, we are still experimenting. It's very challenging to migrate existing systems from traditional Sign In/Out mechanisms to the new open standards.

- Praveen Alavillli
AOL Authentication

Anonymous said...

congratulations! That's great. I tried it out and it's a good start ;)

Anonymous said...

I would love to know who gave AOl permission for my screen name to be used this way?
this means now that if anyone finds out my password for AIm, that they will be able to  go into any site that supports this OPENId thing.

Not a good move and you should have given users the right to refuse this.

Anonymous said...

acs358 -- "this means now that if anyone finds out my password for AIm, that they will be able to  go into any site that supports this OPENId thing."

We're very concerned about security and about the implications of identity theft.  But I don't think this changes your risk.  Even without OpenID, if your password is leaked, someone can do a lot of damage impersonating you.  They can read your email and send email as you (with webmail), they can upload illegal pictures and videos, they can of course send IM spam, they can copy your Buddy List, and a lot more.  So at the moment, OpenID is the least of your worries.  

Actually, today many web sites accept your email address as an ID, and if someone has your AIM password, they also control your email address and mailbox, so you already have this problem.  Not sure that OpenID changes things much.

Consider, though, what would happen if we did make this opt-in.  We'd do this in your personal profile, probably on www.aim.com.  To change the settings, you need to sign in with your AIM screen name and password... so if your password is leaked, an attacker can simply log in, opt in, and then go merrily on.

As best as I can tell, if your password is leaked, you're in just as much trouble without OpenID as with it.  It's a good reason to protect your password.

Let me know if I missed something.  Thanks!

Anonymous said...

This is indeed good news.   While trying to do some exploratory integration / interoperability work I found several issues.   First if the screen name is over a set number of chars many of the web interfaces truncate the value, however the openid.aol.com server doesn't, resulting in a page not found error.   Second during the authentication process after the submission of the login form there are times when  api.screenname.aol.com returns an HTTP Status OK with no content, when I would expect the authorization page, or a redirect back to the relying party with an error.   I can provide additional details via email if anyone is interested.

Anonymous said...

Theoretically OpenID *is* opt-in automatically.  It only authenticates you on OpenID-enabled websites where you, personally, have originally asked it to do so.

If you never use your AOL OpenID to register on a website, it can't be used to log into it, so it's as secure as you, personally, want it to be.

If you want to use it, use it.
If you do not want to use it or have others use it if they steal your password, then never use it and they'll never be able to either.

Anonymous said...

I have only just personally gone into discovering what Open ID is all about.  This is because the 3rd party message board/blog system that I use is determined (understandably) not to allow guest posting.  

I am at the moment trying to convince them that Open ID would be a great compromise.  We are very limited on that system as forcing people to register with them just to leave the odd comment does put people off.  

I think fear over someone getting hold of ones password and then going around other systems impersonating them is a little paranoid.  Getting hold of a password on any system can happen rarely but I don't see how the risk is higher with Open ID.  

I personally think Open ID is the best thing since sliced bread.  It certainly saves all this registering on seperate systems all over the web.

Anonymous said...

how do u delete screen name on aol