[openstreetmap/openstreetmap-website] Get user e-mail permission in OAuth login (#2011)

[Tom Hughes]

I may have misunderstood - on re-reading it's not totally clear exactly what you are doing.

To be clear the intention is that that OAuth is used to grant users on your site permission to do things on OpenStreetMap - in other words it is a way of linking accounts. What it is not intended for is to replace accounts on your site completely - for you to use OAuth as a way of people logging into your site.

That's not our decision - it's what the OAuth protocol was designed for. The intention was that OpenID would be used for authenticating a local user against a remote site. That said OAuth was often abused in that way including by many OpenStreetMap users, and OAuth 2 does basically give in and merged both roles into one protocol (OpenID Connect is OAuth 2 based) but we don't currently support OAuth 2 at all.

I still stick by my primary point, that the risks (both legal and reputational) are just too great - it would be very easy for somebody that wasn't paying attention to unintentionally reveal their email and then they would come complaining to us.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2011#issuecomment-426570569
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181003/c02db162/attachment.html>