[openstreetmap/openstreetmap-website] OAuth 2: Granting partial permissions not possible (Issue #4360)

[Tobias Zwick]

So anyway, after having read the RFC, it doesn't look like OAuth 2 is designed to allow this kind of flow we used to have with OAuth 1.0a. It would be a (possibly non-RFC compliant, would need to read the exact wording) extension to OAuth 2.

To summarize:

- With the authorization flow in OAuth 1.0a, it was possible for the user not to grant all requested permissions. The client then (ideally) had to verify after using the `permissions/` endpoint whether it got all permissions it needed and handle it.

- The authorization flow in OAuth 2 (instead) does not allow the user to selectively only grant some of the requested permissions. However, it provides *clients* a way to request less permissions than what has been listed during registration for the client. This flow enables the client to dynamically only request the permissions it needs right now, using several different tokens to access different parts of the API.
  This solution is somewhat superior to the OAuth 1.0a flow for fine-grained permissions and also convenient for users, however, only for applications that use in-browser authorization (like any web-app)

So, I will close this. Web-apps (such as the mentioned HOT tasking manager) already can implement fine-grained permissions with OAuth 2.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4360#issuecomment-1822949775
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4360/1822949775 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231122/d18767ab/attachment.htm>