[OSM-dev] The future of Potlatch

Christopher Schmidt crschmidt at metacarta.com
Fri May 2 00:52:38 BST 2008

On Fri, May 02, 2008 at 12:18:58AM +0100, Tom Hughes wrote:
> Well I assume the client app would make a request to /api/0.5/user/token
> or something with noraml username+password HTTP authentication and get a
> token back that it could then use from then on.
> Though of course if the client app is doing it then it could just use
> the HTTP auth with username+password anyway.

Which is exactly the problem. A *remote server* now has access to OSM
user credentials, which is what OAuth is designed to avoid. User
credentials should never be in the hands of more people than they have
to: in this case, that's you (OSM server) and the user, nobody else.
That's what OAuth is for.

Christopher Schmidt

More information about the dev mailing list