[OSM-dev] Using native social SDK for signing in to OSM on mobile
Ilya Zverev
ilya at zverev.info
Wed Dec 23 21:54:12 UTC 2015
Hi everyone,
Suppose I'm working on a mobile editor for iOS and Android. You can't
edit anything without signing in, so first a user has to enter their
login and password. If they are not registered in OSM, too bad: the
registration workflow is overly complex for mobile. One has to enter
login/password/e-mail, wait for confirmation, switch to mailing app,
click a link, close a browser, return to the editing app, enter login
and password again.
But osm.org for some time has Facebook and Google login. They don't
require password and e-mail confirmation, and most mobile phone users
has at least one. For example, most Android phone users have a Google
account. There are native SDKs for both of these networks, so one
doesn't even have to enter their login and password: these are stored
somewhere on the phone.
I mention "native", because the common way of authentication on osm.org,
with a WebView, won't work: you would have to enter your Facebook or
Google credentials from scratch. Which is not simpler than registering
on osm.org.
I would like osm.org to support authentication via native social SDKs.
It would benefit current and future mobile editing apps, and would
drastically increase the number of OSM editors (that is, users). I'm
writing all this, so authors of other editing apps could show their support.
To do that, we need two things. First, authentication on osm.org with
social login tokens bypassing omniauth web flow. For Facebook, this pull
request https://github.com/openstreetmap/openstreetmap-website/pull/1114
is a way, although not perfect. I assume there is something like that
for Google.
Second, there are social accounts, to which official OSM social logins
are linked. E.g. a facebook app. To allow signing in with a native SDK,
an app id should be registered with the social account. That is, we need
a policy for including mobile editing apps there, and a person
responsible for that. I've sent a draft to OWG, which has these items:
- The application code must be published and accessible by members of OWG.
- There must be a downloadable version of the app with the usual login
via a password.
- The application should have some data editing capabilities, for which
signing in is required, and must use proper changeset tags.
- The application must already have some releases, and must be used,
with at least 100 users / downloads. It must have a wiki page and at
least one related blog entry.
- Secret keys provided by social apps must not be included anywhere in
the application: not in code, not in resources, etc. They can be used
only on a server.
Well, it's only a draft, intended mostly to start a conversation. There
is a way to circumvent this, but it includes making osm.org accept any
tokens from any social accounts/apps, which is not good.
The third step would be adding an API for signing in and registering new
members, but that is too complex and not a topic of this discussion.
What do you think of this?
My goal is to have "Facebook"/"Google" buttons, a single press on which
is all that's needed for editing OpenStreetMap (well, there are extra
steps for registering, but the idea is the same).
IZ
More information about the dev
mailing list