[OSM-dev] GDPR implementation on planet.osm.org

Bryan Housel bhousel at gmail.com
Wed Jun 20 19:20:59 UTC 2018

> On the technical side, things are even worse. The elephant in the room is OAuth. OAuth is built on in particular the assumptions that
> - the consumer ("the website") acts stateful
> - sessions are relatively long-lived, i.e. some seconds to some hours
> - the identity provider has the cross-origin assets
> All three are not true for Overpass API which means that I have to work around OAuth or significantly mess with it.

Just wanted to respond to the technical part of this - my impression was that embedding a policy change into an OAuth flow wouldn’t be too intrusive.

I was assuming that server side they would just revoke everyone’s OAuth tokens for certain apps (essentially forcing everyone as logged out).

When using the OAuth app, at some point the user would need to log in.  They'd be presented with the same screen requesting account permissions, but then might be redirected through an extra screen that explains the privacy policy and asks the user to read and check a box before continuing.  This screen could appear only if their account hasn’t already accepted the policy.  Finally OAuth would call back to your app with the secrets like it normally would.

I could be misunderstanding - Hopefully someone will correct me if I’m wrong :)

Thanks, Bryan

More information about the dev mailing list