[OSM-dev] How to use OAuth for non-web apps? (was: Usage of the standard dev server)

markus schnalke meillo at marmaro.de
Sat Feb 6 14:35:36 UTC 2016

[2016-02-04 14:19] Paul Norman <penorman at mac.com>
> On 2/4/2016 1:47 PM, markus schnalke wrote:
> > Instead of transmitting the username and password, the oauth token
> > and secret are transmitted. How is that different, besides the
> > ability of restricting the permitted actions?
> No, the token and secret are used to sign the request. Someone who MITMs
> your connection can read the traffic, drop it, but not pretend to be you
> to the API server or modify it. I've done this in testing of a local API
> proxy. There are some attack vectors with oauth + HTTP that remain open,
> but not ones which involve pretending to be the user or stealing
> credentials.

Thanks for the explanation.

> > If you'd take the time, I'd be glad to learn the advantages of
> > oauth over http basic auth, especially because for a command line
> > application it appears to be mainly inconvenient (needs a web
> > browser to be available (which actually is an issue for me), plus
> > switching to it and back) and only better by the ability to limit
> > the permitted actions.
> The advantage is that it avoids the editor knowing the user's password,
> or storing the password.

Well, this is a big thing for web apps, because you have to trust
them blindly, whereas local code, which is Free Software, can be
examined. With a program, consisting of 1500 lines in a scripting
language, this is even practically possible (and non-programmers
would not want to use that editor I'm working on, anyway.). But I
don't want to be nitpicky with this ...

What convinces me more is that OAuth is a permission delegation
that can be revoked.

Zverik's OAuth proxy at http://auth.osmz.ru/ seems to provide some
useful information for my understanding:

	OpenStreetMap Authentication Proxy

	You are Meillo (log out) and you have never used a token. With
	this service you will be able to identify yourself in
	OpenStreetMap-related software that is not able to use OAuth.
	All you have to do is pass a token to an application, and it
	would know your login name and OSM identifier.

	There are two types of tokens. A master token can be used
	repeatedly. For example, a JOSM plugin can store it in
	preferences to identify itself to an external service every
	time you restart the editor. [...]

Am I getting this right: I could ask the user to generate one
such master token and pass that to the editor program, just like
if he would store his password there?

The only inconvenience would then be, to generate one such master
token. That appears to be acceptable.

Okay, but what's the motivation for Zverik's proxy? Isn't the OSM
website able to generate such tokens itself? Or let me ask
differently: How do I generate a master token for allow_write_api
(without having a callback possibility)?

I had a look at that page:
What would I enter there for a command line program?

Further help is appreciated. (I already have HTTP Basic Auth
working, but I would switch to OAuth if I can use that in a way
that does not clash with the command line world. The delegation
concept is definitely appealing.)


More information about the dev mailing list