[OSM-dev] oauth token lifetime
Tom Hughes
tom at compton.nu
Sat Apr 27 13:40:13 UTC 2019
On 27/04/2019 14:37, Jiri Vlasak wrote:
> On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote:
>> On 26/04/2019 19:06, Jiri Vlasak wrote:
>>> This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
>>> settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
>>> feel this approach is not right.
>>
>> That's usually because the client is broken and is not storing the
>> token but is instead requesting a new one every time you use it.
>
> That's my guess too. So, I would like to write it better. My problem is that I
> am quite confused by OAuth.
>
> If I understand it correctly, OAuth is here for authorization. But, in my case
> (and in the case of HOT Tasking Manager), the use case is authentication.
Yes it is really abuse of OAuth in general but is common.
Note that OAuth 2 (in the form of OpenID Connect) has basically
merged the two use cases anyway.
> So maybe I should ask - is it possible to authenticate to osm.org?
Well yes, that is what OAuth does.
What is happening here is using your osm.org account to
authenticate to a third party site.
That works if the third party is prepared to accept you
allowing it to access osm.org as valid authentication.
Tom
--
Tom Hughes (tom at compton.nu)
http://compton.nu/
More information about the dev
mailing list