[openstreetmap/openstreetmap-website] Welcome page interrupts Oauth authorization flow for newly created OSM accounts (Issue #4246)

[Milan Cvetkovic]

> I'm not keen on the idea of having two versions of the information (which will doubtless get out of sync) depending on how you sign up.

 > It would also make the email a bit more complex when we want to create a wording-bridge to the previous step.


We can have parametarization to solve both of these - to reuse complete, existing `welcome.html.erb` and render it in mail with slight "if email" tweaks. We would not add name of application (in your example "StreetComplete") to email, though.

> I just noticed that the email confirmation email likely also needs a change depending on which flow is used afterwards.

Yes, we will account for that, but having mail confirmation is already breaking signup flow. Ideally, clicking on the link in email would continue authorization process, but I am not sure if this is reasonable.

> I wonder what to do with existing apps. Should they be migrated to the new flow automatically or should they stay with the existing flow until they opt in. And how would the opt in work? Are there downsides to migrating them automatically?

Currently 3rd party apps initiate "Oauth2 authorize with OSM" in order to obtain access token. This triggers the sign-in to OSM if the user is not signed in to OSM already. If the user does not even have OSM account, they would have to create one.

 Suggested modification of behaviour in OSM is at the moment when the email address is confirmed for these users, signing up as a result of Oauth2 authorization. Instead of driving them to "welcome screen", we would send them a "welcome email" and proceed to "OSM OAuth2 authorization" screen, which is in fact what they wanted to do. I do not see any downsides from the point of view of 3rd party apps. Other than maybe having to remove descriptions that the authorization would have to be initiated twice, due to OSM welcome screen. For example, it would be appropriate to remove "semi-automatic" from the relevant screen in JOSM. All third party apps would be treated same, since the decision is based on "is this signup due to authorization or not".

 The behaviour for OSM signup which is not a result of Oauth2 authorization would remain same as of today.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4246#issuecomment-1748803462
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4246/1748803462 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231005/2f02a67f/attachment.htm>