Tuesday was a very full day at IIW. The sessions I attended are listed below with a brief summary.
AOL OpenAuth -- Overview
Srinivas Lingutla from AOL gave an overview of the AOL OpenAuth API's and discussed the differences between the OpenAuth capabilities and existing OpenID authentication. The key additions of OpenAuth are the ability to retrieve a “security token” that represents the authentication and can be used in a back-channel way with other AOL services (e.g. instant messaging), and the consent model that is structured around the use of the “security token”.
HTTP binding for identity web services
This discussion was intended to gage interest in a standard framework for invoking identity based web services using HTTP as the core binding. The focus being support of browser based applications that make use of AJAX and XSS. The session was not well attended so the group present ended up covering many different issues relating to HTTP based invocation of services. John Panzer from AOL discussed some work he's done extending the HTTP support for authentication and authorization to support authentication use of ATOM/APP interfaces. There was some consensus that for REST based API's extending the existing HTTP mechanisms is the best solution. For AJAX based applications, this method does not work well so another method is required. I discussed the simple framework that AOL has defined for its Open Services APIs (e.g. Web Instant Messaging). We also discussed a couple of different invocation models that can be used (front-channel based vs back-channel based) with HTTP.
Rich Client Authentication
In this group we discussed the issues around allowing device specific applications (i.e. not a browser) to authenticate the user and then invoke identity based web services on the user's behalf. From the client developer perspective, the general consensus was that they didn't want to deal with implementing this and would rather the environment provide a consistent API that could authenticate the user and return the appropriate token. Of course this sort of just pushes the problem to a different layer. One idea was to look at OSIS and Cardspace as possible client side systems that could be used to do the authentication though this requires the user to adopt a new model of authentication. It is not clear to me how long that sort of user “training” is going to take.
Another aspect of client authentication is the desire to provision the authentication credentials in such a way that they are specific to the device. This way if they are compromised, they are not valid outside the context of the device. One solution here would be to use PKI provisioned through some “installation/setup” step. What that would be was not discussed, though one could use the Liberty Alliance Advanced Client specifications if willing to implement SOAP web services.
OpenID Token Exchange extension
Srinivas Lingutla also did a session on a proposed extension to OpenID that will allow relying parties (RP) to request an authentication token from the OpenID Provider (OP) at the time of authentication. The token can then be used to access identity based web services. AOL has implemented this proposed extension and demoed it during the “speed geeking” session on Monday by using an AOL OpenID to launch a buddylist using the AOL Web IM APIs. There were a number of questions around how to support different token types (simple support already present in the proposed extension), and whether some level of application id (or provider id) is required. The next steps include evaluating the other related proposed extensions and seeing if these can be combined into a single extension to support token request and validation. The proposed extension should be posted to the OpenID list/wiki in the next week or so.
What's broken with OpenID 2.0
Dick Hardt led a session on what is broken with the existing OpenID 2.0 spec. I'm sure the details will be appearing on his blog in the near future. The session of course grew beyond just what is broken to business issues and next generation feature requests. It was a very lively discussion. The “really broken” things were tackled during sessions on Wed. At the closing session on Wed. Dick promised that the 2.0 specification would be ready “real soon now”.
Tags: iiw2007, OpenAuth, OpenID