[OSM-dev] The future of Potlatch

Christopher Schmidt crschmidt at metacarta.com
Fri May 2 11:53:52 BST 2008

On Fri, May 02, 2008 at 08:25:04AM +0100, Tom Hughes wrote:
> In message <20080501235238.GA3459 at metacarta.com>
>         Christopher Schmidt <crschmidt at metacarta.com> wrote:
> > On Fri, May 02, 2008 at 12:18:58AM +0100, Tom Hughes wrote:
> >> Well I assume the client app would make a request to /api/0.5/user/token
> >> or something with noraml username+password HTTP authentication and get a
> >> token back that it could then use from then on.
> >> 
> >> Though of course if the client app is doing it then it could just use
> >> the HTTP auth with username+password anyway.
> >
> > Which is exactly the problem. A *remote server* now has access to OSM
> > user credentials, which is what OAuth is designed to avoid. User
> > credentials should never be in the hands of more people than they have
> > to: in this case, that's you (OSM server) and the user, nobody else.
> > That's what OAuth is for.
> Where did I say anything about sending the credentials to the
> remote server?

If the Flash app can get them, anyone can. The flash app shouldn't be
asking for user credentials. It should be redirecting the user to
OSM.org to grant auth to the application.

> I said the client app (ie the flash applet) asks the user for
> them and sends them directly to our server.

But there's no way to ensure that: that's the problem. If it can send
them to OSM, it can just as easily send them to "Joe Schmoe": there's no
way to force a client to do anything other than that.

> A remote site would always need to get the user to login, whether that
> was by redirecting to our site using OAuth to get a token authorised
> (which from reading the OAuth doco seems to involve redirecting to a
> login screen on our site) or by having the downloaded applet do it.

Correct. But in the OAuth case, the user never gives his credentials to
Joe Attacker OSM Developer. He only gives them to OSM -- he doesn't have
to make a judgement call every time he wants to try a new client about
whether he trusts the client or not.

Currently, users make this decision whenever they use a client other
than Potlatch, but (at least to me), that's a barrier that we shouldn't
force users to go through. 

Christopher Schmidt

More information about the dev mailing list