[OSM-dev] The future of Potlatch

Christopher Schmidt crschmidt at metacarta.com
Thu May 1 23:31:39 BST 2008 

On Thu, May 01, 2008 at 11:04:06PM +0100, Tom Hughes wrote:
> In message <16e8cf860805011348jed1acdcs61e65ef29805f6df at mail.gmail.com>
>           "Tom Carden" <tom at tom-carden.co.uk> wrote:
> 
> > I was trying to stay out of this thread, but someone should really
> > mention OAuth at this point.
> > 
> > I'm not sure if anyone is working on this already for OSM, but it's
> > rapidly emerging as a de-facto standard for delegated authentication,
> > getting rid of the password anti-pattern. I believe Rails libraries
> > are available.
> > 
> > http://oath.net
> 
> So rapidly emerging that I'd never heard of it before...
> 
> How does it compare to OpenID, which is what people normally ask us for?

OpenID solves a different problem: depending on whether you're a
consumer or a producer, it allows you to either:
 * Use external verification that someone is who they say they are
 * Provide external verification that someone is who they say they are.

Neither of these solve the problem of "I am Chris's server, and I want
to act like Tom when talking to the API." Which is what OAuth is
intended to solve. 

Essentially OAuth is the equivilant (as I understand it) of an open
source version of the Flickr auth API.

> I'm not sure it's relevant to the issue at hand here anyway, as I think
> it's not an issue at all. We already support token based authentication
> so all it needs is an API call on the site that will return a token and
> what Frederik wants can work.

Except... how does that API call on the site get called? The API call
needs for a user to be logged in. That token then needs to be provided
back to the remote application ("Chris's Server") and then used to talk
to the OSM server from that point forward. Essentially, OAuth is a
formalization of this task. The token that OSM wants to use here is a
fine first step in implementing OAuth, as I understand it: It's the
'behind the scenes' work that is important in OAuth and OSM doesn't
have.  

> Potlatch already uses token based authentication in fact, it's just
> that the token is created behind the scenes by rails and embedded in
> the HTML page it returns which starts the flash applet.

And the reason that Potlatch can do that is because potlatch can get the
user's credentials without violating security because it is running on
the main server. Changing that so an external server can get access to
that token is not a 'just' thing -- making it so a user can copy paste a
token is possible, and not hugely difficult, but it doesn't provide the
UI that most users would probably want :)

Regards,
-- 
Christopher Schmidt
MetaCarta

More information about the dev mailing list