[OSM-dev] OAuth

[Tom Hughes]

Frederik Ramm wrote:

> I haven't looked at your implementation - which SVN revision should I 
> check out to do so?

It's on a branch for now - rails_port_branches/oauth is what you want.

> Does the implementation
> * allow third party applications to identify an OSM user so that they 
> can, for example, store local preferences under that username?

I'm not sure what you mean by "identify" in this context, but one of the 
permissions an application can ask for is the ability to read and/or 
write to a users preferences (read and write are separate permissions).

> * allow users to grant third party applications the right to make edits 
> in their name?

Yes.

> * allow the first item above WITHOUT at the same time allowing the 
> second item above (so that I can authenticate with a third party 
> application but I may not trust that application enough to actually make 
> edits in my name)?

OAuth is not about providing third party authentication - that is the 
job of an OpenID provider. OAuth is about allowing third parties to do 
things on our web site in the name of a given user without exposing 
authentication details to them.

But yes, you can grant preference access without granting edit access.

> * allow users to grant third party applications the right to retrieve 
> their non-public GPS tracks, and again, give the user a choice whether a 
> given third-party application should have this right (or only know the 
> username, or only make edits)?

Once again, yes.

The permissions currently implemented are:

   - Read preferences
   - Write preferences
   - Create diary entries and comments and add new friends
   - Make edits using the API
   - Read the users GPX traces, including private ones
   - Add new GPX traces

One thing I'm interested in peoples thoughts on is the third of those 
which covers several different things - would those be better split up?

Tom

-- 
Tom Hughes (tom at compton.nu)
http://www.compton.nu/