[openstreetmap/openstreetmap-website] OAuth flow should show more information about the application requesting rights (Issue #4217)

Pieter Vander Vennet notifications at github.com
Fri Sep 1 20:56:06 UTC 2023 

### URL

https://www.openstreetmap.org/oauth2/authorize?client_id=sa1ngLJBJ8McmzHElN8NYtIDm5TZTYEYhq3-0snO4Qc&code_challenge=VgMbsKx3KZFEMM4ujihX5YORn4m8cUVzyjW41MAYjD0&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A1234%2Fland.html&response_type=code&scope=read_prefs+write_prefs&state=eX9ZWBxNWlQBou_OLWEPeNxtc_ojhO6XuagD4uVr-EU

### How to reproduce the issue?

MapComplete recently had a security scan by Radically Open Security - thanks to the NlNet fund.

One of their recommendations was to start using OAuth 2.0 (which has now been done). However, they pointed out another weakness in the OAuth flow on the side of osm.org. I'm quoting [@jacopojannone](https://git.radicallyopensecurity.com/jacopojannone) here from their research:

> An attacker could still register their own application on OpenStreetMap, set up a malicious instance of MapComplete, and persuade users into using it to log into OpenStreetMap. Ideally, the OAuth authorization page on OpenStreetMap would clearly show which application the user is logging into, including the owner's name and the full application URL. This would make it evident to the user that they are not logging into a trusted instance of MapComplete. However, tests showed that this is not the case. When the OAuth 2.0 flow is used, the OpenStreetMap authorization page only shows the registered application name, with no other details, author names or URLs, as shown in the following figure.

![image](https://github.com/openstreetmap/operations/assets/1466478/8acb4209-631a-44b4-b157-4fca9b023c14)


This is handled a bit better in the current OAuth 1.0 flow, where the URL can be detected:

![image](https://github.com/openstreetmap/operations/assets/1466478/75e66bbe-9685-4cae-b291-14d756fd464d)

I propose that this flow is improved by:

1. Showing the URL (or at least the host) verbatim next to the application
2. Showing the maintainer of the application (even though that this might be a bit confusing for contributors) 

### Screenshot(s) or anything else?

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4217
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4217 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230901/3ce9c647/attachment.htm>

More information about the rails-dev mailing list