[OSM-dev] User authentication/Single sign on (was: Proposal for a map-bug tracker)

Frederik Ramm frederik at remote.org
Fri Nov 28 23:45:38 GMT 2008 

Hi,

I'm moving this to dev. - I don't think we should use too much 
authentication in the context of bug tracking, but on a wider note, 
talking about other services etc:

Douglas Furlong wrote:
> I think the level to which Fedora went is far beyond what we would need, but
> setting up an LDAP directory to store authentication credentials would be
> fairly straight forward.

What we need is a central system against which untrusted services can 
authenticate someone. I am not sure if LDAP delivers that.

A user talking to System X must be able to prove to System X that he is 
OpenStreetMap user Z, without System X gaining any privileged information.

It is trivial to implement this if you trust System X - you just give 
System X your OSM username and password and it tries to make an 
authenticated request against the API. However it is more complex if X 
cannot be trusted. In that case, the usual way to deal with the 
situation is:

(a) medium security

X redirects the user to an API web page and tells the API "please 
authenticate" through parameters added to URL

API authenticates user, creates cryphtographically secured message 
saying "this is really user so-and-so", redirects back to X with payload 
added to URL

X knows that user is so-and-so

(b) high security

X opens direct connection to API, tells it "please create authentication 
session", gets back session id

X redirects user to API with only session id as payload

API does authentication, stores result in session, redirects back to X 
only with session as payload

X opens direct connection to API, queries result of authentication by 
specifying session id, gets back user id.

X knows that user is so-and-so.

As far as I know this has nothing to do with LDAP, or does LDAP 
somewhere specify a scheme like that?

There has been discussion in the past about using "OpenID" for this but 
OpenID is something else, and more complicated, because it is not built 
around the idea that you have one central master ID database (like we 
have - you need an API account and anything else should follow from 
that); instead with OpenID you can use multiple "identity providers" of 
which the OSM API could (but would not need to) be one. (Plus OpenID 
accounts are always URLs which is ugly.)

What we need is (unless we want to write our own version of the above) 
is probably OAuth. For a discussion of OAuth and OpenID, see.
http://mashable.com/2008/07/28/openid-and-oauth/

There's a wiki page here:
http://wiki.openstreetmap.org/wiki/Single_sign_on
but I believe it is misguided in advocating OpenID and I'll amend it 
shortly.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00'09" E008°23'33"

More information about the dev mailing list