[OSM-dev] Usage of the standard dev server

markus schnalke meillo at marmaro.de
Thu Feb 4 21:47:34 UTC 2016


Hoi.

[2016-02-04 09:15] Paul Norman <penorman at mac.com>
> On 2/4/2016 8:41 AM, markus schnalke wrote:
>     [2016-02-04 14:43] Tom Hughes <tom at compton.nu>
>     > 
>     > If you're developing a new editor you should be using OAuth not HTTP
>     > basic auth.
> 
>     If I would be developing a *web* editor, then yes, of course ... but
>     I am working on a command line editor.
> 
> This remains true for programs invoked from the command line. As an example,
> https://github.com/openstreetmap/openstreetmap-license-change uses OAuth.

Thanks for the link. I found OAuth stuff in this file:

https://github.com/openstreetmap/openstreetmap-license-change/blob/master/get_auth.rb

It says:

	puts "Visit the following URL, log in if you need to, and authorize the app"
	puts @request_token.authorize_url
	puts "When you've authorized that token, enter the verifier code you are assigned:"
	verifier = gets.strip

It seems as if the user would need to register its copy of the
program once and then store the oauth-token on disk.

Instead of transmitting the username and password, the oauth token
and secret are transmitted. How is that different, besides the
ability of restricting the permitted actions?

(And shouldn't that oauth secret be transmitted via httpS as well,
because it's a secret? Hence coming back to my original remark.)


If you'd take the time, I'd be glad to learn the advantages of
oauth over http basic auth, especially because for a command line
application it appears to be mainly inconvenient (needs a web
browser to be available (which actually is an issue for me), plus
switching to it and back) and only better by the ability to limit
the permitted actions.

Well, that's how it appears to me. You might know better.


meillo



More information about the dev mailing list