[OSM-dev] Using native social SDK for signing in to OSM on mobile

Ilya Zverev ilya at zverev.info
Wed Dec 23 21:54:12 UTC 2015


Hi everyone,

Suppose I'm working on a mobile editor for iOS and Android. You can't 
edit anything without signing in, so first a user has to enter their 
login and password. If they are not registered in OSM, too bad: the 
registration workflow is overly complex for mobile. One has to enter 
login/password/e-mail, wait for confirmation, switch to mailing app, 
click a link, close a browser, return to the editing app, enter login 
and password again.

But osm.org for some time has Facebook and Google login. They don't 
require password and e-mail confirmation, and most mobile phone users 
has at least one. For example, most Android phone users have a Google 
account. There are native SDKs for both of these networks, so one 
doesn't even have to enter their login and password: these are stored 
somewhere on the phone.

I mention "native", because the common way of authentication on osm.org, 
with a WebView, won't work: you would have to enter your Facebook or 
Google credentials from scratch. Which is not simpler than registering 
on osm.org.

I would like osm.org to support authentication via native social SDKs. 
It would benefit current and future mobile editing apps, and would 
drastically increase the number of OSM editors (that is, users). I'm 
writing all this, so authors of other editing apps could show their support.

To do that, we need two things. First, authentication on osm.org with 
social login tokens bypassing omniauth web flow. For Facebook, this pull 
request https://github.com/openstreetmap/openstreetmap-website/pull/1114 
is a way, although not perfect. I assume there is something like that 
for Google.

Second, there are social accounts, to which official OSM social logins 
are linked. E.g. a facebook app. To allow signing in with a native SDK, 
an app id should be registered with the social account. That is, we need 
a policy for including mobile editing apps there, and a person 
responsible for that. I've sent a draft to OWG, which has these items:

- The application code must be published and accessible by members of OWG.
- There must be a downloadable version of the app with the usual login 
via a password.
- The application should have some data editing capabilities, for which 
signing in is required, and must use proper changeset tags.
- The application must already have some releases, and must be used, 
with at least 100 users / downloads. It must have a wiki page and at 
least one related blog entry.
- Secret keys provided by social apps must not be included anywhere in 
the application: not in code, not in resources, etc. They can be used 
only on a server.

Well, it's only a draft, intended mostly to start a conversation. There 
is a way to circumvent this, but it includes making osm.org accept any 
tokens from any social accounts/apps, which is not good.

The third step would be adding an API for signing in and registering new 
members, but that is too complex and not a topic of this discussion.

What do you think of this?

My goal is to have "Facebook"/"Google" buttons, a single press on which 
is all that's needed for editing OpenStreetMap (well, there are extra 
steps for registering, but the idea is the same).

IZ



More information about the dev mailing list