[OSM-dev] JOSM password security

Kai Krueger kakrueger at gmail.com
Sat Sep 21 21:54:53 UTC 2013


Hello everyone,

It appears that the default method of JOSM to authenticate to the OSM
API is still "Basic Auth". Although JOSM does allow for OAuth, the way
the authentication dialog in the settings is structured, I would imagine
from a usability perspecitve that a good many users of JOSM will still
be using basic auth. Furthermore, the dialog that pops up if you try and
upload without having entered any authentication before hand, only
provides basic auth and no option for OAuth. Together presumably a good
portion of (particularly novice) JOSM users will be still using Basic
Auth. (Does anyone have numbers for how many JOSM users use OAuth and
how many use Basic Auth?). As the OSM API currently doesn't support
https, this means that likely for many (if not the majority) of JOSM
users, the OSM password is still transmitted in clear over the wire on
every use of JOSM.

This is far from ideal behaviour and a significant downside compared to
iD or Potlatch that both use OAuth for authentication.

Is it possible to change the default of JOSM to use OAuth and hide the
option of using Basic Auth behind e.g. an "export" mode?

Furthermore, given that there are a number of people who sign-up to OSM
via OpenID and therefore might not even have an OSM password, it would
be good if the "semi-automatic" OAuth procedure would be the default.
The semi-automatic form uses the website to login and thus allows you to
use "login with OpenID" as well as a password.

At the moment the semi-automatic OAuth procedure isn't particularly user
friendly, as it contains far too much technical detail and too many
steps. However, I don't see a reason why this couldn't be simplified
down by default to a single "Log-in" button that then automatically
redirects to the OSM log-in page and handles all the rest of the OAuth
process in the background without having to bother the user with any
detail that they are using OAuth or anything else.

Kai



More information about the dev mailing list