Mashing Up with User-centric Identity

1,409 views
1,306 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,409
On SlideShare
0
From Embeds
0
Number of Embeds
44
Actions
Shares
0
Downloads
75
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Mashing Up with User-centric Identity

    1. 1. Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli
    2. 2. Web 2.0 <ul><li>Data Sharing </li></ul><ul><li>Social Collaboration </li></ul><ul><li>Perpetual Beta </li></ul><ul><li>Incremental Evolution </li></ul><ul><li>Web as a Platform, and </li></ul><ul><li>Users in Control </li></ul>
    3. 3. Mashup <ul><li>Wikipedia: &quot;a website or application that combines content from more than one source into an integrated experience.&quot; </li></ul><ul><ul><li>API[1] + API[2] + … +API[N] </li></ul></ul><ul><ul><li>Netvibes.com, imified.com, etc… </li></ul></ul>
    4. 4. Role of Identity <ul><li>Well .. to identify the user for …. </li></ul><ul><ul><li>Personalization </li></ul></ul><ul><ul><li>Authorization / Access Control </li></ul></ul><ul><ul><li>Communication </li></ul></ul><ul><ul><li>Content Publishing </li></ul></ul><ul><ul><li>Maintaining Public Identity across Providers </li></ul></ul>
    5. 5. But … it is also <ul><li>A barrier to entry </li></ul><ul><ul><li>Registration == drop off </li></ul></ul><ul><ul><li>ID fatigue among users </li></ul></ul><ul><li>Expensive to maintain authentication infrastructure </li></ul>
    6. 6. Online Identity <ul><li>Lives moving online </li></ul><ul><li>Virtual world identity != physical world identity </li></ul><ul><li>Fragmentation of identity across services </li></ul><ul><li>Limits value of services (network growth slowed) </li></ul><ul><li>Not necessary to bind identity and services together </li></ul>
    7. 7. User-Centric Identity <ul><li>Providing User Choice </li></ul><ul><li>Privacy protecting </li></ul><ul><li>Easy to adopt & use </li></ul><ul><li>Allowing collaboration </li></ul><ul><li>Supporting the Long Tail Applications </li></ul><ul><li>Internet scale </li></ul>
    8. 8. Open Protocols <ul><li>Community driven </li></ul><ul><ul><li>OpenID </li></ul></ul><ul><ul><li>CardSpace </li></ul></ul><ul><ul><li>Liberty (SAML) </li></ul></ul><ul><li>Proprietary </li></ul><ul><ul><li>Yahoo! BBAuth </li></ul></ul><ul><ul><li>Google Account API </li></ul></ul><ul><ul><li>AOL OpenAuth </li></ul></ul>
    9. 9. Challenges w/ Adoption <ul><li>Platform/OS dependencies </li></ul><ul><li>Programming Language Support </li></ul><ul><li>Too many APIs/Protocols </li></ul><ul><li>Complex message formats </li></ul>
    10. 10. Challenges w/ User Experience <ul><li>Sites with existing user base </li></ul><ul><li>Same ID/Password every where </li></ul><ul><li>Inconsistent login experience </li></ul><ul><li>‘ deputization’ of services </li></ul><ul><li>Redirects </li></ul>
    11. 11. Challenges w/ Permission Management <ul><li>Different ways to manage user permissions (consent) </li></ul><ul><li>Implicit Vs Explicit </li></ul><ul><li>Client Vs Server </li></ul><ul><li>Distributed Consent Management </li></ul><ul><li>Managing given Consents </li></ul>
    12. 12. Security Issues <ul><li>XSS </li></ul><ul><li>Phishing </li></ul><ul><li>Authentication Tokens for Sites Vs Users </li></ul><ul><li>Managing Sessions (Client side Vs Server side) </li></ul><ul><li>Authentication Tokens validation/invalidation </li></ul>
    13. 13. Privacy Issues <ul><li>Same Identifier everywhere </li></ul><ul><li>Public Vs Private Personas </li></ul><ul><li>Anonymous and Randomized Identities </li></ul>
    14. 14. Reputation Services <ul><li>Why Reputation ? </li></ul><ul><li>Who owns it ? </li></ul><ul><li>based on </li></ul><ul><ul><li>Published content </li></ul></ul><ul><ul><li>Activity </li></ul></ul><ul><ul><li>Collaboration with other Services (Mail, IM, etc.) </li></ul></ul><ul><li>Actions to take </li></ul><ul><ul><li>Restricted Usage limits </li></ul></ul><ul><ul><li>Block/Deny requests </li></ul></ul><ul><ul><li>Report to Reputation Services </li></ul></ul>
    15. 15. next steps… <ul><li>User Experience </li></ul><ul><ul><li>Consistency is the “Key” </li></ul></ul><ul><li>User Permissions </li></ul><ul><ul><li>Ask User ! </li></ul></ul><ul><ul><li>Implied consents are bad </li></ul></ul><ul><li>Report and Consume Reputation </li></ul><ul><li>Identity and associated data under user’s control </li></ul><ul><ul><li>Support multiple public/private identities </li></ul></ul><ul><ul><li>Support switching Identity Providers </li></ul></ul><ul><li>Adopt protocols that support all (most) of the above </li></ul>
    16. 16. AOL Open Authentication API <ul><li>Simple API to Authenticate AOL/AIM/ICQ Users </li></ul><ul><li>Light-weight “provisioning” and easy integration/use </li></ul><ul><li>Well known/understood Technologies </li></ul><ul><ul><li>HTTP/TLS/XML/JSON/… </li></ul></ul><ul><li>Permission (Consent) Management </li></ul><ul><li>Secure Token exchange for ‘ deputization’ of services </li></ul><ul><ul><li>Designed for AOL Open Services Consumption </li></ul></ul><ul><li>Supports Redirect, AJAX, and Direct Models </li></ul><ul><li>Also … </li></ul><ul><ul><li>OpenID Provider (OP) </li></ul></ul><ul><ul><li>OpenID Authentication Token Exchange Extension </li></ul></ul><ul><ul><li>OpenID Consumer/Relying Party - accepts 3rd party OpenIDs </li></ul></ul><ul><li>STS for CardSpace (in the future) </li></ul>http://dev.aol.com/openauth
    17. 17. Sign In Page
    18. 18. Permission Request Page
    19. 19. User Permission Management Page https://my.screenname.aol.com
    20. 20. Ficlets
    21. 21. Q & A Contact Info Praveen Alavilli John Panzer =praveen.alavilli =john.panzer http://dev.aol.com

    ×