[OSM-dev] OAuth

[Tom Hughes]

Frederik Ramm wrote:

> Tom Hughes wrote:
>>> * allow third party applications to identify an OSM user so that they 
>>> can, for example, store local preferences under that username?
>>
>> I'm not sure what you mean by "identify" in this context, but one of 
>> the permissions an application can ask for is the ability to read 
>> and/or write to a users preferences (read and write are separate 
>> permissions).
> 
> I would want a third-party application to know that whoever they are 
> talking to is the OSM user so-and-so, that's all - so that the 
> application can e.g. save application-local preferences for that user 
> without having to use an extra login/password to that site.

That isn't really how OAuth works. OAuth allows an application to say to 
a web site "I would like to do X" and the site then interacts with the 
user to get their permission (by asking them to log in if necessary and 
then to confirm they want to grant permission to the application) and 
then gives the application an opaque token it can use to access the site.

>> OAuth is not about providing third party authentication 
> 
> I know but it can be a useful side effect, can it not? Or does the 
> protocol not hand out the username - would I have to ask for edit 
> permission, then write a new node somewhere using the token I got, then 
> use an API read request to know the user name ;-)?

Well I don't think there is an OAuth permission to read the user details 
currently so an application wouldn't be able to get an OAuth token that 
allowed it to retrieve the username. Such a permission could be added of 
course.

Tom

-- 
Tom Hughes (tom at compton.nu)
http://www.compton.nu/