We launched a new version of OpenAuth yesterday, which now has support for a new login method (called 'clientLogin') for rich clients (standalone desktop clients, flash/AIR/Silverlight clients both standalone and browser embedded). I have blogged before why we need to provide login methods for client applications.
With the new OpenAIM 2.0 launch, we really had to open up our authentication for rich clients built by 3rd party developers so they can build really cool AIM clients with great user experience.
To make sure the tokens issued by the 'clientLogin' method cannot be stolen and replayed, we are using a combination of user's password and a random session secret returned by the clientLogin method (of course on SSL) to generate a 'SessionKey' that must be used to sign every AOL OpenServices request (so far WebAIM is the only one support these new tokens other than the Open AIM API/SDKs - other services are making the necessary updates to support them very soon).
Speaking of the request signing, I am very happy to announce that we adopted the OAuth Signature Base String in our request signing mechanism as the basis for generating the signature using the 'SessionKey'. We couldn't yet adopt the OAuth parameter naming and the protocol (due to the dependencies across all our services) but that's something that we will be definitely looking into in the future.
You can check out our new apis on the OpenAuth documenation site and get a devId with 'clientLogin' enabled from the Key Management page.