[openstreetmap/openstreetmap-website] Do not ask for application OAuth permissions repeatedly (#1455)

Matt Amos notifications at github.com
Thu Feb 23 12:10:56 UTC 2017


> a failure to persist the access token properly is not an issue with the rails port but an issue with the apps.

I think what @Zverik is saying is not that the access token would be shared via the API, but that the user would accept a list of permissions on a per-app basis rather than a per-device / per-access-token basis. Accepting (or rejecting) a set of permissions is a part of the OAuth flow that we added, so we are able to skip that step if the user has previously authorised a token for this same app, and (I think) without impacting the security properties of OAuth.

Effectively, this would have two parts:

1. Where we currently [check token capability](https://github.com/openstreetmap/openstreetmap-website/blob/master/app/controllers/application_controller.rb#L53-L68), we would instead look up a new type (say, `ClientPermissions`) which is unique per-user and per-`client_application`.
2. When authorising a new token, if a `ClientPermissions` object exists for the (`user`, `client_application`) pair, then use that instead of asking the user to approve the permissions.

The token UI would then be able to edit the `ClientPermissions` objects. This would mean the user loses the ability that they currently have to grant different permissions to different instances of the same app. I'm not sure if anyone is using that ability, so perhaps not a big loss.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1455#issuecomment-281975878
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20170223/cf1f64dd/attachment.html>


More information about the rails-dev mailing list