[openstreetmap/openstreetmap-website] API key dispenser (#2145)

[mmd]

I thought I could add some more details about the main use case we have in mind.

Let's assume an overpass turbo user wants to query for some OSM data that includes metadata. Due to GDPR requirements, metadata wouldn't be available to anonymous users anymore in the future. Here's where Overpass API would require the user to present a proof of an osm.org account, ideally without disclosing the user's id.

Steps are:

1. download overpass turbo as a single page web-app from overpass-turbo.eu, app lives in your browser only
2. in the app: authorize access to an Overpass API application against osm.org. Application has been registered upfront via osm.org/oauth2/applications (not yet available)
3. browser to send query along with a token to Overpass API, running on overpass-api.de
4. Overpass API needs to find out that the token is valid and that the user sending the request has an account on osm.org. The actual user name is not needed
5. Overpass API returns additional meta data in the positive case.

>From what I've read, Authorization Code PKCE Flow would be relevant here.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2145#issuecomment-706770375
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20201011/015c2209/attachment.htm>