[OSM-dev] oauth token lifetime

Tom Hughes tom at compton.nu
Sat Apr 27 13:40:13 UTC 2019


On 27/04/2019 14:37, Jiri Vlasak wrote:
> On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote:
>> On 26/04/2019 19:06, Jiri Vlasak wrote:
>>> This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
>>> settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
>>> feel this approach is not right.
>>
>> That's usually because the client is broken and is not storing the
>> token but is instead requesting a new one every time you use it.
> 
> That's my guess too. So, I would like to write it better. My problem is that I
> am quite confused by OAuth.
> 
> If I understand it correctly, OAuth is here for authorization. But, in my case
> (and in the case of HOT Tasking Manager), the use case is authentication.

Yes it is really abuse of OAuth in general but is common.

Note that OAuth 2 (in the form of OpenID Connect) has basically
merged the two use cases anyway.

> So maybe I should ask - is it possible to authenticate to osm.org?

Well yes, that is what OAuth does.

What is happening here is using your osm.org account to
authenticate to a third party site.

That works if the third party is prepared to accept you
allowing it to access osm.org as valid authentication.

Tom

-- 
Tom Hughes (tom at compton.nu)
http://compton.nu/



More information about the dev mailing list