[OSM-dev] MapRoulette requests OSM permissions

Serge Wroclawski emacsen at gmail.com
Mon May 5 20:09:56 UTC 2014

There was a recent question on why MapRoulette requests user
permissions. I thought I'd address that question here.

This is relatively new bahvior. MapRoulette didn't always ask you to
log in before using it, but we decided that we needed some kind of
user authentication for a few reasons:

1. It would let us customize the experience for a user. If a user
logged in, we would remember their preferences from last time

2. It would allow us to loosely associate activity in MapRoulette
against a user system. For example, we'd know roughly how many users
were using MapRoulette, including if there were super-mappers, or
maybe super-vandals.

We decided that instead of creating yet another login system, that
we'd use osm.org's oauth as a sort of identifier. Since every
MapRoulette user is already an OSM user, this made a lot of sense to
us. It also meant that we could benefit from using osm.org

But OAuth isn't an identification system. We don't know who is
authenticated when they log into osm.org- we just have an
authentication token to act on their behalf. When a user is logged in,
though, we can make an API call to osm.org on their behalf that
provides us information about the currently logged in user, eg their
username, home location (if set), language preferences, etc.

Initially, we thought we would probably use osm.org's internal system
of storing user data in key/value pairs to store information about the
user from MapRoulette, for example, choosing which challenge they
wanted to have by default, but ultimately we moved away from this
choice because making the external calls to osm.org was more expensive
than making local db lookups.

Those preferences don't include anything like passwords, and they
don't include things like your email address.

In the future, MapRoulette will be doing editing, and then, like any
other editor, it will need permissions for editing API calls, just
like other applications do (iD, PoiPond, Level0). In our early
testing, we asked for those permissions as well, becuase we knew that
we'd need them one day, but we made a decision to not ask for them
until we needed them (even if it meant that users would have to log
back into osm.org in the future).

Hope that clear's up any questions people have.

- Serge

More information about the dev mailing list