[openstreetmap/openstreetmap-website] OAuth flow should show more information about the application requesting rights (Issue #4217)
Tom Hughes
notifications at github.com
Fri Sep 1 21:28:34 UTC 2023
Unfortunately doorkeeper doesn't have anywhere to collect and store a URL for the application in the way the OAuth 1 library does which is why we don't show that.
I don't see that it helps anyway as surely your hypothetical attacker would just enter your URL in the same way they could enter MapComplete as an application name. Unless you're expecting us to start manually approving all applications collecting and displaying extra data isn't going to prove anything.
Equally showing the OSM username of the owner isn't going to help as an OSM username is unlikely to have any meaning to the person authorising the application and in any case there is nothing to stop somebody creating a user called "Map Complete Application" or whatever to own their fake MapComplete.
It would also be confusing because many existing official applications are probably owned by unlikely accounts - for example I have no idea who owns JOSM but I know that the embedded iD instance on osm.org is on my account!
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4217#issuecomment-1703336787
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/4217/1703336787 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230901/150295eb/attachment.htm>
More information about the rails-dev
mailing list