[OSM-dev] GDPR implementation on planet.osm.org
bhousel at gmail.com
Wed Jun 20 19:20:59 UTC 2018
> On the technical side, things are even worse. The elephant in the room is OAuth. OAuth is built on in particular the assumptions that
> - the consumer ("the website") acts stateful
> - sessions are relatively long-lived, i.e. some seconds to some hours
> - the identity provider has the cross-origin assets
> All three are not true for Overpass API which means that I have to work around OAuth or significantly mess with it.
Just wanted to respond to the technical part of this - my impression was that embedding a policy change into an OAuth flow wouldn’t be too intrusive.
I was assuming that server side they would just revoke everyone’s OAuth tokens for certain apps (essentially forcing everyone as logged out).
I could be misunderstanding - Hopefully someone will correct me if I’m wrong :)
More information about the dev