[OSM-dev] Future deprecation of HTTP Basic Auth and OAuth 1.0a

[Paul Norman]

The Operations Working Group is looking at what it take to deprecate 
HTTP Basic Auth and OAuth 1.0a in favour of OAuth 2.0 on the main API in 
order to improve security and reduce code maintenance. Some of the 
libraries that the software powering the API relies on for OAuth 1.0a 
are unmaintained, there is currently a need to maintain two parallel 
OAuth interfaces, and HTTP Basic Auth requires bad password management 
practices. OAuth 2.0 libraries should be available for every major language.
We do not yet have a timeline for this, but do not expect to shut off 
either this year. Before action is taken, we will send out more 
notifications. Deprecation may be incremental, e.g., we may shut off 
creation of new applications as an earlier step.
What can you do to help?
If you are developing new software that interacts with the OSM API, use 
OAuth 2.0 from the start. Non-editing software can require 
authentication support, e.g. software that checks if you have an OSM login.
If you maintain existing software, then look into OAuth 2.0 libraries 
that can replace your OAuth 1.0a ones. We do not recommend implementing 
support for either protocol version "by hand", as libraries are readily 
available and history has shown that implementing your own support is 
prone to errors.
If you do not develop software that interacts with the OSM API, this 
change will not directly impact you. You may need to update software you 
use at some point.
Paul Norman
For the Operations Working Group