Allow custom URL protocols or schemes when registering a client application (for OAuth) #3706
Comments
Author: mendhak I followed the instructions on the OSM wiki and made the change in a fork on github: |
Author: TomH Your change doesn't actually seem to match what you say in the bug description though. You stated that only http and https were allowed but it looks to me like any sequence of one of more word characters (plus hyphens) was allowed as the scheme name? All your change really seems to have done is to add restrictions (like requiring the scheme name to start with an alphabetic character) and possibly allow a few extra characters like the plus sign and full stop. Can you explain more clearly exactly what the problem you encountered was (perhaps if you said what scheme name didn't work that would help explain) and why your change fixes it, as well as why the extra restrictions you have introduced are necessary? |
Author: mendhak Hi TomH, validates_format_of :callback_url, :with => /\Ahttp(s?)://(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(/|/([\w#!:.?+=&%@!-/]))?/i, :allow_blank=>true The [https://github.com/mendhak/openstreetmap-website/commit/3e948c382e616c1bccd73db83d9cc53083ae644e first change] I made changed it to allow words and hyphens validates_format_of :callback_url, :with => /\A**([\w-])**+://(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(/|/([\w#!:.?+=&%@!-/]))?/i, :allow_blank=>true The [https://github.com/mendhak/openstreetmap-website/commit/9b82d5eda10292d74720cf12c5704dcc2d1e49b1 second change] is a bit more detailed because I was reading up on the RFC 3986 validates_format_of :callback_url, :with => /\A**([a-z]){1}([\w0-9.+-])://(\w+:{0,1}\w@)**?(\S+)(:[0-9]+)?(/|/([\w#!:.?+=&%@!-/]))?/i, :allow_blank=>true I didn't know which you would have preferred which is why I did it twice. To explain the problem more clearly - in a third party website, a user will click 'authorize' which will redirect to the openstreetmap.org website. Then, the user will sign in and grant permissions to the third party website. At this point, normally, the openstreetmap.org website will redirect the user back to the callback url that had originally been specified. This callback url would have been specified by the author of the third party website. (!http://example.com/finishedauthorization) Currently, the callback url is being restricted to http:// and https:// addresses which doesn't work for mobile apps. This means that mobile app users will need to copy the code given to them by openstreetmap.org and paste that into the mobile app. What would be nice is if anything:// is allowed. The reason - on a smartphone, the mobile browser will attempt to redirect the user to anything:// and this will in turn invoke the original mobile app which has registered itself to listen to anything://. As far as I know, Android OS and iOS currently allow applications to register against custom schemes. The anything:// URL would contain the OAuth tokens it needs to communicate with openstreetmap.org which it can process and use. This provides the user with a seamless experience. Hope I'm clear, please let me know if my description is still lacking. |
Author: TomH Applied and deployed. Thanks for the patch. |
Author: mendhak Replying to [comment:4 TomH]:
Hi TomH, thanks for applying this and for your time, it is appreciated. Just did an end-to-end test of my mobile app and the OAuth process is very smooth. |
Reporter: mendhak
[Submitted to the original trac issue database at 8.52am, Friday, 22nd April 2011]
When registering an application for usage with OSM, the application registration page asks for a Callback URL. This works perfectly fine if it's a common URI scheme such as http:// as after authorizing the application, the user is redirected to that Callback URL.
With mobile/desktop apps the user will authorize the app but then has to presumably copy some text from the website and paste it into the mobile/desktop app.
However, since desktop and mobile apps can register to listen to custom URI schemes such as myapp://, it would make things easier for the user if the Callback URL did allow custom URI schemes so that the user simply authorizes, browser redirects to myapp://, application handles it and takes care of the tokens it receives.
At the moment, when specifying a Callback URL on the registration page
http://www.openstreetmap.org/user/mendhak/oauth_clients/new
the Callback URL field does not allow anything other than http:// or https://
I have placed this under the 'website' component but please let me know if it should be elsewhere (or change it).
The text was updated successfully, but these errors were encountered: