[OSM-dev] The future of Potlatch

Tom Hughes tom at compton.nu
Fri May 2 00:18:58 BST 2008

In message <20080501223139.GA725 at metacarta.com>
          Christopher Schmidt <crschmidt at metacarta.com> wrote:

> On Thu, May 01, 2008 at 11:04:06PM +0100, Tom Hughes wrote:
> > I'm not sure it's relevant to the issue at hand here anyway, as I think
> > it's not an issue at all. We already support token based authentication
> > so all it needs is an API call on the site that will return a token and
> > what Frederik wants can work.
> Except... how does that API call on the site get called? The API call
> needs for a user to be logged in. That token then needs to be provided
> back to the remote application ("Chris's Server") and then used to talk
> to the OSM server from that point forward. Essentially, OAuth is a
> formalization of this task. The token that OSM wants to use here is a
> fine first step in implementing OAuth, as I understand it: It's the
> 'behind the scenes' work that is important in OAuth and OSM doesn't
> have.

Well I assume the client app would make a request to /api/0.5/user/token
or something with noraml username+password HTTP authentication and get a
token back that it could then use from then on.

Though of course if the client app is doing it then it could just use
the HTTP auth with username+password anyway.

The only reason Potlatch uses the token is so that it can inherit the
authenication from the site that the user is already logged in to. An
application on a third party site would not have the advantage of being
already logged in so would have to ask for credentials at startup.


Tom Hughes (tom at compton.nu)

More information about the dev mailing list