Opened 10 years ago

Closed 10 years ago

#1525 closed enhancement (wontfix)

Expose user auth tokens to remote web-based applications

Reported by: crschmidt@… Owned by: Tom Hughes
Priority: major Milestone: Wishlist
Component: website Version:
Keywords: Cc:

Description

In order to create tools which interact with OSM in an authenticated way, it is neccesary to provide a way for users to authenticate themselves to OSM without providing username and password to a third party.

Currently, OSM has a 'token' implemented internally which can achieve some of this: it is possible to login with username 'token' and a password equivalent to a session token of theirs. This is how Potlatch works. However, this is no way for a user to get a token other than to view source on edit.html and copy the token out.

Additionally, I believe these tokens expire when a user logs out.

It would be nice to have a way to have a remote web application be able to get a token that didn't expire with logout. A somewhat-common auth procedure is:

A first pass at this would just be to let the user get a token from a webpage -- preferably one that expired after one week instead of when the user logged out -- so that they could copy that into a third party application.

Change History (3)

comment:1 Changed 10 years ago by Tom Hughes

Alternatively, we could just do it properly and implement OAuth.

comment:2 Changed 10 years ago by crschmidt@…

This is a proposal for implementation of some of the ideas discussed in http://wiki.openstreetmap.org/wiki/Single_sign_on .

This is an alternative to implementing OAuth support. I have not actually implement OAuth, but I believe it would require two sets of changes:

  • One set similar to the above
  • Another set at the authentication level.

Rather than implementing the changes at both levels, it is possible to use our existing infrastructure for token-based authentication, and only write the UI level.

comment:3 Changed 10 years ago by crschmidt@…

Resolution: wontfix
Status: newclosed

I thought the last time this came up, OAuth was dismissed because it was a reimplementatin of pieces OSM already has. If there is a desire to support OAuth, then that's fine.

Ah, my memory was wrong: I was remembering something Frederik had said and attributing it to you:

http://lists.openstreetmap.org/pipermail/dev/2008-May/010022.html

Okay, so closing thsi ticket, and starting work on OAuth.

Note: See TracTickets for help on using tickets.