[OSM-dev] API authentication

Frederik Ramm frederik at remote.org
Mon May 14 02:03:20 BST 2007


> Some quick tests and it looks trivial to be able to restrict API  
> authentication to just POST/DELETE/whatever requests.
> What does this mean?

First of all, it saves an extra HTTP roundtrip in many cases (initial 
JOSM downloads etc), so thumbs up.

> If JOSM or $EDITOR were to set Accept: headers on their request then  
> they could be given text/xml OSM data. If Accept: wasn't present  
> then, say, JSON could be returned or text/html.

Cool, and Accept: application/pdf would return a PDF atlas ;-)

However, many browsers natively accept XML data and display it in an XML 
viewer. Firefox, by default, sends:


So the Accept: header alone is probably not suitable for selecting what 
to deliver, unless we would define a special OSM MIME type 
(application/osmxml or whatever).

> The simplest possible thing that could work as a first step is to  
> turn off requiring authentication for GET requests. I haven't just  
> done it in case it horribly breaks some client or other

Most clients probably use some sort of abstraction lib that does 
everything magically anyway, i.e. $CLIENT provides password to $LIBRARY 
which sentds it to the server if the server so desires, and $CLIENT 
won't even notice your change.


Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00.09' E008°23.33'

More information about the dev mailing list