
<p></p>

<h3 dir="auto">URL</h3>

<p dir="auto"><a href="https://www.openstreetmap.org/oauth2/authorize?client_id=sa1ngLJBJ8McmzHElN8NYtIDm5TZTYEYhq3-0snO4Qc&code_challenge=VgMbsKx3KZFEMM4ujihX5YORn4m8cUVzyjW41MAYjD0&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A1234%2Fland.html&response_type=code&scope=read_prefs+write_prefs&state=eX9ZWBxNWlQBou_OLWEPeNxtc_ojhO6XuagD4uVr-EU" rel="nofollow">https://www.openstreetmap.org/oauth2/authorize?client_id=sa1ngLJBJ8McmzHElN8NYtIDm5TZTYEYhq3-0snO4Qc&code_challenge=VgMbsKx3KZFEMM4ujihX5YORn4m8cUVzyjW41MAYjD0&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A1234%2Fland.html&response_type=code&scope=read_prefs+write_prefs&state=eX9ZWBxNWlQBou_OLWEPeNxtc_ojhO6XuagD4uVr-EU</a></p>

<h3 dir="auto">How to reproduce the issue?</h3>

<p dir="auto">MapComplete recently had a security scan by Radically Open Security - thanks to the NlNet fund.</p>

<p dir="auto">One of their recommendations was to start using OAuth 2.0 (which has now been done). However, they pointed out another weakness in the OAuth flow on the side of osm.org. I'm quoting <a href="https://git.radicallyopensecurity.com/jacopojannone" rel="nofollow">@jacopojannone</a> here from their research:</p>

<blockquote>

<p dir="auto">An attacker could still register their own application on OpenStreetMap, set up a malicious instance of MapComplete, and persuade users into using it to log into OpenStreetMap. Ideally, the OAuth authorization page on OpenStreetMap would clearly show which application the user is logging into, including the owner's name and the full application URL. This would make it evident to the user that they are not logging into a trusted instance of MapComplete. However, tests showed that this is not the case. When the OAuth 2.0 flow is used, the OpenStreetMap authorization page only shows the registered application name, with no other details, author names or URLs, as shown in the following figure.</p>

</blockquote>

<p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://user-images.githubusercontent.com/1466478/265124336-8acb4209-631a-44b4-b157-4fca9b023c14.png"><img src="https://user-images.githubusercontent.com/1466478/265124336-8acb4209-631a-44b4-b157-4fca9b023c14.png" alt="image" style="max-width: 100%;"></a></p>

<p dir="auto">This is handled a bit better in the current OAuth 1.0 flow, where the URL can be detected:</p>

<p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://user-images.githubusercontent.com/1466478/265124416-75e66bbe-9685-4cae-b291-14d756fd464d.png"><img src="https://user-images.githubusercontent.com/1466478/265124416-75e66bbe-9685-4cae-b291-14d756fd464d.png" alt="image" style="max-width: 100%;"></a></p>

<p dir="auto">I propose that this flow is improved by:</p>

<ol dir="auto">

<li>Showing the URL (or at least the host) verbatim next to the application</li>

<li>Showing the maintainer of the application (even though that this might be a bit confusing for contributors)</li>

</ol>

<h3 dir="auto">Screenshot(s) or anything else?</h3>

<p dir="auto"><em>No response</em></p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/4217">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLLBDSP5YZDQJ5L4JBLXYJDWNANCNFSM6AAAAAA4IBVFBA">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLMWVYCOGMDUSV3E5LDXYJDWNA5CNFSM6AAAAAA4IBVFBCWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHG74ENSQ.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/issues/4217</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/openstreetmap/openstreetmap-website/issues/4217",

"url": "https://github.com/openstreetmap/openstreetmap-website/issues/4217",

"name": "View Issue"

},

"description": "View this Issue on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>