[openstreetmap/openstreetmap-website] OAuth 2: Granting partial not possible (Issue #4360)

[Tobias Zwick]

Hmm, maybe the preferred OAuth 2 way to do it would be that the client requests different tokens for different purposes.

E.g. HOT could request only the minimum it needs to function on login, and then when using the map-edit feature, it would again ask for authorization upon using that feature. Because the user is likely already logged in in his browser at least from the last authorization request, the user is able to quickly authorize it.

Now, for non-browser applications, this flow is a little less convenient. At least StreetComplete and IIRC Vespucci both use a WebView instead of a browser to authorize which then of course does not save the login cookie. Which means, for every new token, the username and password needs to be reentered.
(I know, it is recommended to not use a WebView but the device's browser, but we had problems in the past with that. There a quite a number of browsers for Android, and some - e.g. if I remember correctly the default browser for a popular custom rom - fail to forward a redirect URI like `streetcomplete://oauth` to whichever app registered this uri scheme. Maybe @simonpoole also remembers if there were other reasons to use a WebView.)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4360#issuecomment-1821660986
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4360/1821660986 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231121/062c6dc1/attachment.htm>