Reporter: crschmidt[at]crschmidt.net
[Submitted to the original trac issue database at 8.13pm, Friday, 23rd January 2009]

In order to create tools which interact with OSM in an authenticated way, it is neccesary to provide a way for users to authenticate themselves to OSM without providing username and password to a third party.

Currently, OSM has a 'token' implemented internally which can achieve some of this: it is possible to login with username 'token' and a password equivalent to a session token of theirs. This is how Potlatch works. However, this is no way for a user to get a token other than to view source on edit.html and copy the token out.

Additionally, I believe these tokens expire when a user logs out.

It would be nice to have a way to have a remote web application be able to get a token that didn't expire with logout. A somewhat-common auth procedure is:

• Visit remote site.
• Remote site checks local storage for token; if token is not valid, redirects user to osm.org/get_a_token?redirect_to=http://third-party.example.com/?remote_uid=12345
• Get a token checks that user is logged in. If user is not logged in, user is asked to login.
• Once user is logged in, they get an 'allow' or 'deny': deny just takes them back to osm homepage.
• 'Allow' redirects user to http://third-party.example.com/?remote_uid=12345&token=j23jJIIDDdz

A first pass at this would just be to let the user get a token from a webpage -- preferably one that expired after one week instead of when the user logged out -- so that they could copy that into a third party application.