mashing up with user-centric identity
TRANSCRIPT
Mashing Up withUser-Centric Identity
America Online LLCJohn Panzer, Praveen Alavilli
Web 2.0
Data Sharing Social Collaboration Perpetual Beta Incremental Evolution Web as a Platform, and Users in Control
Mashup
Wikipedia: "a website or application that combines content from more than one source into an integrated experience."
API[1] + API[2] + … +API[N]Netvibes.com, imified.com, etc…
Role of Identity
Well .. to identify the user for ….PersonalizationAuthorization / Access ControlCommunicationContent PublishingMaintaining Public Identity across Providers
But … it is also
A barrier to entryRegistration == drop offID fatigue among users
Expensive to maintain authentication infrastructure
Online Identity
Lives moving online Virtual world identity != physical world
identity Fragmentation of identity across services Limits value of services (network growth
slowed) Not necessary to bind identity and services
together
User-Centric Identity
Providing User Choice Privacy protecting Easy to adopt & use Allowing collaboration Supporting the Long Tail Applications Internet scale
Open Protocols
Community drivenOpenIDCardSpaceLiberty (SAML)
ProprietaryYahoo! BBAuthGoogle Account APIAOL OpenAuth
Challenges w/ Adoption
Platform/OS dependenciesProgramming Language SupportToo many APIs/ProtocolsComplex message formats
Challenges w/ User Experience
Sites with existing user base Same ID/Password every where Inconsistent login experience ‘deputization’ of services Redirects
Challenges w/ Permission Management
Different ways to manage user permissions (consent)
Implicit Vs Explicit Client Vs Server Distributed Consent Management Managing given Consents
Security Issues
XSS Phishing Authentication Tokens for Sites Vs Users Managing Sessions (Client side Vs Server
side) Authentication Tokens validation/invalidation
Privacy Issues
Same Identifier everywhere Public Vs Private Personas Anonymous and Randomized Identities
Reputation Services
Why Reputation ? Who owns it ? based on
Published content Activity Collaboration with other Services (Mail, IM, etc.)
Actions to take Restricted Usage limits Block/Deny requests Report to Reputation Services
next steps…
User Experience Consistency is the “Key”
User Permissions Ask User ! Implied consents are bad
Report and Consume Reputation Identity and associated data under user’s control
Support multiple public/private identities Support switching Identity Providers
Adopt protocols that support all (most) of the above
AOL Open Authentication API
http://dev.aol.com/openauthhttp://dev.aol.com/openauth
• Simple API to Authenticate AOL/AIM/ICQ Users
• Light-weight “provisioning” and easy integration/use
• Well known/understood Technologies
• HTTP/TLS/XML/JSON/…
• Permission (Consent) Management
• Secure Token exchange for ‘deputization’ of services
• Designed for AOL Open Services Consumption
• Supports Redirect, AJAX, and Direct Models
• Also …
• OpenID Provider (OP)
• OpenID Authentication Token Exchange Extension
• OpenID Consumer/Relying Party - accepts 3rd party OpenIDs
• STS for CardSpace (in the future)
Sign In Page
Permission Request Page
User Permission Management Page
https://my.screenname.aol.com
Ficlets
Q & A
Contact Info
Praveen Alavilli John Panzer=praveen.alavilli =john.panzer
http://dev.aol.comhttp://dev.aol.com