[openstreetmap/openstreetmap-website] Do not ask for application OAuth permissions repeatedly (#1455)

Ilya Zverev notifications at github.com
Wed Feb 22 16:03:09 UTC 2017

> In our case OAuth 1.0a each app only has the Consumer Key for identification, the association between user and the access token is established during the handshake. As a result there is no way I can see how you could go from the Consumer Key to the access token without re-authenticating the user and re-authorizing the app.

I'm not sure I understand. I propose not to change OAuth implementation, but to make user UI for managing tokens more clear.

What I'm proposing (refined in this discussion) is:

1. Display to a user not a list of tokens, but a list of applications. A "revoke" button revokes all tokens for the application.
2. When an application makes a redirect to the oauth page, search for the last token and if found, use the permissions list from it, immediately redirecting user to the next step.
3. To simplify the last step, store granted permissions separately from tokens, and add an "edit" button to the app list from step 1, allowing a user to view and modify a list of permissions for the app.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20170222/fa301199/attachment-0001.html>

More information about the rails-dev mailing list