[OSM-dev] oauth token lifetime

[Jiri Vlasak]

On Sat, Apr 27, 2019 at 02:40:13PM +0100, Tom Hughes wrote:
> On 27/04/2019 14:37, Jiri Vlasak wrote:
> > On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote:
> > > On 26/04/2019 19:06, Jiri Vlasak wrote:
> > > > This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
> > > > settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
> > > > feel this approach is not right.
> > > 
> > > That's usually because the client is broken and is not storing the
> > > token but is instead requesting a new one every time you use it.
> > 
> > That's my guess too. So, I would like to write it better. My problem is that I
> > am quite confused by OAuth.
> > 
> > If I understand it correctly, OAuth is here for authorization. But, in my case
> > (and in the case of HOT Tasking Manager), the use case is authentication.
> 
> Yes it is really abuse of OAuth in general but is common.
> 
> Note that OAuth 2 (in the form of OpenID Connect) has basically
> merged the two use cases anyway.
> 
> > So maybe I should ask - is it possible to authenticate to osm.org?
> 
> Well yes, that is what OAuth does.

Ofcourse. I am sorry, still learning the OAuth thing.

> What is happening here is using your osm.org account to
> authenticate to a third party site.

That should be my question.

> That works if the third party is prepared to accept you
> allowing it to access osm.org as valid authentication.

Anyway, I did a little bit more research in OAuth and I think that I resolved
the most issues I needed. Thanks, Tom, for pointing me out!

Have a nice day,
jiri