Friday, March 12, 2010

OpenID 2.0 Provider support live @ AOL

I'm excited to announce that the AOL Identity Services team has fully deployed OpenID 2.0 Provider support. Directed identity flows are now enabled so just entering 'aol.com' into an OpenID field will start the authentication flow. In addition to directed identity, this release also supports "check immediate" flows, SREG, AX, UI (popup browser), PAPE (as required by the ICAM OpenID 2.0 Profile) and of course the ICAM OpenID 2.0 Profile itself.

We have also improved the UI making it much cleaner and easier to follow. One feature of this new UI is a page that allows the user to choose, when first visiting a new site, whether to use their public OpenID (http://openid.aol.com/<username>) or an opaque one. Of course, this choice isn't necessary if the user provides the relying party their full OpenID or the relying party specifically requests an opaque identifier (via PAPE policy). I'd really appreciate feedback on whether this "privacy" feature is helpful to users or just adds more confusion.

In addition to the existing SREG support, the same attributes will be supported via Attribute exchange. There is equivalent support for the http://axschema.org URIs but only partial support for the Information Card URIs as there weren't direct equivalents for all of the attributes. Here is what is currently supported.

http://axschema.org/namePerson/friendly
http://axschema.org/contact/email
http://axschema.org/birthDate
http://axschema.org/person/gender
http://axschema.org/contact/postalCode/home
http://axschema.org/contact/country/home
http://axschema.org/pref/language
http://axschema.org/pref/timezone

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country


Suggestions or requests for specific attributes are always welcome. One point of clarification regarding email addresses and verification. The current implementation defaults the email address to the user's AOL provided email address but does allow the user to change the value returned to the relying party.

While there is still a lot to do, it feels really good to finally reach this milestone.

8 comments:

bkissel said...

Congratulations George, great news for AOL!

Cheers, Brian

Unknown said...

Please consider certification at LOA1 with the US government

bkissel said...

Congratulations on the great progress George!

Monica said...

Ah I see you DO support checkid_immediate that is awesome !

George Fletcher said...

Thank Monica, please let us know if you run into any issues with check_immediate.

Anonymous said...

Excellent! Great to see this finally launch!

Unknown said...

When i am trying to connect via my open id a warning message is there stating "Warning! site verification could not be completed." how to solve this issue

George Fletcher said...

Hi mano09, to remove this warning message, your relying party needs to support XRDS discovery. See section 13 of the OpenID 2.0 specification.

Basically, the returned XRDS needs a <Service> element with a <Type> of http://specs.openid.net/auth/2.0/return_to and an <URI> value that matches the return_to parameter in the OpenID request.