[openstreetmap/openstreetmap-website] Welcome page interrupts Oauth authorization flow for newly created OSM accounts (Issue #4246)
Milan Cvetkovic
notifications at github.com
Wed Nov 8 09:32:31 UTC 2023
> > Ideally, clicking on the link in email would continue authorization process, but I am not sure if this is reasonable.
>
> This won't work for some apps. An app may open `https://www.openstreetmap.org/oauth2/authorize` in a specific browser window and expect redirect back to itself in that window. If you're opening a confirmation link from an email client, you're not in that window anymore.
This will work for all apps even when confirmation email is required, subject so some limitations.
The link in the email would (indirectly, through the entry in `user_tokens` table, and welcome page if it is displayed) drive the user to the same authorization link: `/oauth2/authorize?...`. If the invoking application is still up and the timeout set by the invoking app has not been reached, the authorization would complete successfully.
In case of too much time passed, the link from email would complete the creation of OSM account, but the authorization link would fail, and user would have to repeat the authorization request from the client app. However, this time the user need not create an OSM account (since they already have one) and the authorization request would result in OSM displaying authorize screen immediately.
The limitations are:
- the user needs to use same browser for initial authorize request and confirm-email request
- the client application needs to be running without restart
- the whole authorization process needs to be complete in relatively small time frame. In my tests, the authorize link expires in about an hour. Note that the similar behaviour would be triggered if user simply sits on authorize screen for long time in any scenario.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4246#issuecomment-1801412284
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/4246/1801412284 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231108/f5e7ea18/attachment-0001.htm>
More information about the rails-dev
mailing list