[OSM-dev] The future of Potlatch

Tom Hughes tom at compton.nu
Fri May 2 08:25:04 BST 2008

In message <20080501235238.GA3459 at metacarta.com>
        Christopher Schmidt <crschmidt at metacarta.com> wrote:

> On Fri, May 02, 2008 at 12:18:58AM +0100, Tom Hughes wrote:
>> Well I assume the client app would make a request to /api/0.5/user/token
>> or something with noraml username+password HTTP authentication and get a
>> token back that it could then use from then on.
>> Though of course if the client app is doing it then it could just use
>> the HTTP auth with username+password anyway.
> Which is exactly the problem. A *remote server* now has access to OSM
> user credentials, which is what OAuth is designed to avoid. User
> credentials should never be in the hands of more people than they have
> to: in this case, that's you (OSM server) and the user, nobody else.
> That's what OAuth is for.

Where did I say anything about sending the credentials to the
remote server?

I said the client app (ie the flash applet) asks the user for
them and sends them directly to our server.

The only reason Potlatch doesn't do that is that it is started
from our site where the user is probably already logged in so it
can be pre-authorised.

A remote site would always need to get the user to login, whether that
was by redirecting to our site using OAuth to get a token authorised
(which from reading the OAuth doco seems to involve redirecting to a
login screen on our site) or by having the downloaded applet do it.


Tom Hughes (tom at compton.nu)

More information about the dev mailing list