[OSM-dev] OAuth

[Frederik Ramm]

Hi,

Tom Hughes wrote:
> That isn't really how OAuth works. OAuth allows an application to say to 
> a web site "I would like to do X" and the site then interacts with the 
> user to get their permission (by asking them to log in if necessary and 
> then to confirm they want to grant permission to the application) and 
> then gives the application an opaque token it can use to access the site.

Thanks.

Is the application required to keep track of which operations are 
allowed with the token and which aren't? I mean, if I am the application 
and I send my user over to OSM to get permission for reading his 
preferences, and later I want to make an edit in the user's name and try 
to use that same token - will this then simply fail, and would I then 
send the user to OSM again to upgrade the token, or would I get a new 
token then? Or would I always check with OSM first wether what I'm about 
to do is allowed with the token?

> Well I don't think there is an OAuth permission to read the user details 
> currently so an application wouldn't be able to get an OAuth token that 
> allowed it to retrieve the username. Such a permission could be added of 
> course.

I could imagine that it would be very useful - if only for the 3rd party 
application to be able to have something on screen that says "I am 
currently using a token that does OSM API operations for the user fred" 
(some users may have more than one account and could get confused).

Has there been any discussion, or even consensus, on the lifetime of 
tokens? Will this be left to the user? Will they be valid until revoked?

Bye
Frederik