Friday, May 18, 2007

Goodbye AOL; Hello Google!

Today is my last day at AOL.  I celebrated my binary millennial in February, and it's time to move on... to some exciting new things over at Google.  I'm going to continue to work in the community/social networking area and I plan to keep gently evangelizing user centric identity, REST, Atom, and feed technologies, among many other things.  And, yes, getting products out the door too.  It'll be fun.

I don't know yet if I'll continue using this blog; but regardless, http://abstractioneer.org will always resolve to where I'm blogging (anything can be solved with one level of indirection).  And =john.panzer will always reach me.

Wednesday, May 16, 2007

Iiw2007 wrap

Image from AOL Pictures


New Journals features: Video, pictures, mobile... and Atom!

The team just added some cool features to Journals last night.  There's a new button that lets you easily add pictures from various Flickr, your computer, AOL Pictures, or an arbitrary URL.  There's a video button that lets you upload a video to embed in your entry or About Me, or record directly from your webcam.  The latter uses the Userplane video recorder widget, which was a breeze to integrate with.  We're also highlighting our mobile posting feature at http://journals.aol.com, which lets you post via your cell phone (or email!) including pictures or video.  Here's a quick trick:  You can use this feature to integrate iPhoto with your blog; just choose to Share via email and put in your blog's email address.

We've also made some changes to our Atom API to bring it more into line with the draft APP standard; it's not 100% there yet but it's close and certainly usable.

Tuesday, May 15, 2007

At iiw2007a: Concordia (Eve Maler)

Image from AOL Pictures

Eve draws up a diagram showing how 'bootstrapping' works in SAML/Liberty WS.  Discussion ensues with many queries about Condordia.  More questions than answers, but I think that people have a lot of related/interlocking problems that need solving.

Starting from OpenID, it sounds to me like all these cases are a subset of the "access a service on behalf of a user" use case; hopefully solving either one will help with the other.

Monday, May 14, 2007

At IIW2007

I'm at IIW right now and also hacking away on OpenAuth and Blogs.  Which does make sense since the people I need to talk to about how it should work are mostly here, with the exception of Praveen, who for some inexplicable reason prefers France.

So far so good; this curl command posts a blog entry on my Atom blog service:

curl -k -v -sS --include --location-trusted --request POST --url 'https://monotreme:4279/_atom/collection/blogssmoketester' --data @/tmp/ieRN0zhgh6 --header 'Content-Type: application/atom+xml; charset=utf-8' --header 'Authorization: OpenAuth token="%2FwEAAAAABYgbMtk4J7Zwqd8WHKjNF6fgJSYe4RhTuitkNyip%2BEru%2FY43vaGyE2fTlxKPAEkBC%2Bf5lhWg18CE2gaQtTVQy0rpillqtUVOOtrf1%2BLzE%2BNTcBuFJuLssU%2B6sc0%3D" devid="co1dDRMvlgZJXvWK"'

Note that the token, which gives authorization and authentication, is obtained with a separate login call to an internal OpenAuth server.  It looks like I need both the token and the devid; the devid essentially identifies the agent representing the user.

I should be able to post this curl command line with impunity because it shouldn't expose any private data, unlike the HTTP Basic Auth equivalent which exposes the user's password in nearly clear text.  This also implies that it should be possible to avoid using TLS.

Now, if I had a standard way to get a token for an OpenID session, I could pass that in like so:

Authorization: OpenID token="...."

And my server will advertise that it accepts all three -- Basic, OpenAuth, and OpenID.  I hope to talk with like minded people about this at IIW.

Monday, May 7, 2007

Sun += OpenID

Tim Bray just blogged about openid.sun.com, which is an identity provider for Sun employees only.  Interesting!  Though technically one would like to be able to do independent assertions about user centric identities ("works for Sun" being a reasonable assertion one could make about any identity).  I suppose though that someone could use OP delegation to point http://me.example.org to openid.sun.com and achieve part of the same effect.  And in the end you'll need to rely on something like openid.sun.com to validate assertions presumably.


Friday, May 4, 2007

AOL OpenAuth and Atom Publishing Protocol

I'm looking to see how best to implement Atom-compatible authentication for AOL's OpenAuth service.  The service provides ways for users to authenticate themselves and to grant permissions to services to do things such as read buddy lists on behalf of a user.  These permissions are encapsulated in a portable token which can be passed around.  The primary use cases for this involve pure web based AJAX applications, so making this something that a generic application can deal with isn't fully specified.

So, here are my thoughts.  Let's say the client has a token string which encapsulates authentication and authorization.  They need to send this along with an Atom Publishing Protocol (APP) request. 

Windows Live and GData both implement custom RFC 2617 WWW-Authenticate: header schemes.  Unfortunately they don't follow exactly the same pattern, or I'd just copy it.  But using RFC 2617 is clearly the right approach if the server can support it.  So here's a proposal:

If a client has an OpenAuth token, it sends an Authorization: header.  The format looks like this:
Authorization: OpenAuth token="..."
where ... contains the base64-encoded token data (an opaque string, essentially).

When there is a problem, or the Authorization: header is missing, a 401 response is returned with a WWW-Authenticate: header.
401 Need user consent
...
WWW-Authenticate: OpenAuth realm="RealmString", fault="NeedConsent", url="http://my.screenname.aol.com/blah?a=boof&b=zed&...."
where the status code contains a human readable message, and the WWW-Authenticate header contains the precise fault code -- NeedToken, NeedConsent, ExpiredToken.  If present, the url parameter gives the URL of an HTML page which can be presented to the end user to login or grant permissions.  For example it can point to a login page if the fault is NeedToken.  A client would then need to do the following in response:
  1. Append a "&succUrl=..." parameter to the url, telling the OpenAuth service where to go when the user successfully logs in or grants permission. 
  2. Open a web browser or browser widget control with the given composed URL, and present to the user.
  3. Be prepared to handle an invocation of the succUrl with an appended token parameter, giving a new token to use for subsequent requests.
Note that the succUrl can be a javascript: URL, or a custom scheme (e.g., aim:) if your destination client is not a web browser.  Or it could be pointing to a local web server (http://localhost:1080/openauthcallback.cgi) or perhaps other schemes to get the token from point A to point B.  Whatever method is chosen, eventually the client will receive an OpenAuth token that it can use to try (or re-try) the Atom request.

As a wrinkle, to enhance autodiscovery, perhaps we should allow an "Authorization: OpenAuth" header with no token on any request (including HEAD).  The server could then respond with a 401 and fault="NeedToken", telling the client what URL to use for login authentication.  The interesting thing about this is that the protocol is then truly not tied to any particular authentication service -- anyone who implements this fairly simple protocol with opaque tokens can then play with anyone else.  The whole thing could be built on top of OpenID, for example. 

Perhaps this doesn't quite work.  I notice that the Flickr APIs don't do this, and instead have non-browsers establish a session with a client-generated unique key ("frob").  But this requires that users end up looking at a browser screen that tells them to return to their application to re-try the request.  Which the above scheme could certainly do as well, by making the succUrl point at such a page.  So is there a reason why Flickr doesn't redirect?  There's likely a gaping security hole here that I'm just missing.