[openstreetmap/openstreetmap-website] API key dispenser (#2145)

[mmd]

I believe once we have OAuth 2.0 in place, we could validate a token that has been issued by osm.org by calling the _introspect_ endpoint (assuming this will be available in the future).

Here's a quick example for illustration purposes (actual output,, no fake):

1. Overpass API receives a query with an HTTP Authentication header `Bearer ASIKSMtZ67n2d7FaM5pYRQOLkNqZOfaYDQn-aB1OCCE`


2. Overpass API validates token against oauth introspection endpoint osm.org:

```
curl -F client_id=zQyq4UbbrCMjShugI1BbYmJ_JQZKnDLj3iZjMVSEB8o -F client_secret=rTDU2cPJ284WL41yYIiPXqzvre2MXjovU3B4WX-zbN4 -F token=ASIKSMtZ67n2d7FaM5pYRQOLkNqZOfaYDQn-aB1OCCE -X POST http://localhost:3000/oauth2/introspect
{"active":true,"scope":"read","client_id":"zQyq4UbbrCMjShugI1BbYmJ_JQZKnDLj3iZjMVSEB8o","token_type":"Bearer","exp":1602439905,"iat":1602432705,"username":"mmd3"}
```

In case of an invalid token, the server would return:

```
{"active":false}
```

`username":"mmd3"` is not part of the doorkeeper.rb default, and only added here as an example.

Results could probably be cached for some time to avoid repeatedly calling the osm.org endpoint.

client_id and secret have been defined before in doorkeeper:

![Bildschirmfoto von 2020-10-11 19-18-20](https://user-images.githubusercontent.com/5842757/95685188-a3a08b00-0bf6-11eb-8bfe-0221187c1b2a.png)




-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2145#issuecomment-706737557
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20201011/7291b988/attachment.htm>