[openstreetmap/openstreetmap-website] OAuth 2: Granting partial not possible (Issue #4360)

Tobias Zwick notifications at github.com
Tue Nov 21 18:14:06 UTC 2023


### Problem

OAuth 2 does not allow granting permissions partially, which was possible with OAuth 1.0a.

This may scare off some privacy / security-aware users from using software that **can** e.g. create notes, upload GPX tracks etc. but doesn't need these permissions when these features are not used.

### Description

Using authorization with OAuth 1.0a, it was possible for users to choose which of the permissions an application requests are granted. Which of these permissions were actually granted then could be queried with `/permissions` endpoint. This seems to be not possible with OAuth 2.0 scopes anymore.

As the author and maintainer of StreetComplete, I actually did get several requests and inquiries why the app needs the "create note" as well as the "read/write gpx tracks" permission.

As the latter is only used for a relatively minor and difficult to discover feature, it was made optional following https://github.com/streetcomplete/StreetComplete/issues/4122. I.e. the user is able to not grant this particular permission and the app would work normally.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4360
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4360 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231121/124274aa/attachment.htm>


More information about the rails-dev mailing list