[openstreetmap/openstreetmap-website] Welcome page interrupts Oauth authorization flow for newly created OSM accounts (Issue #4246)

Milan Cvetkovic notifications at github.com
Wed Sep 13 15:13:51 UTC 2023 

### Problem

When a first-time user of a 3rd party app attempts to make a contribution to OSM, they have to create an OSM account and authorize the 3rd party app to act on their behalf - modify maps, read profile. Here is the typical scenario when user creates OSM account with username/password:

1. User initiates authorization of the app with OSM from the 3rd party app
2. User sees OSM login page, and choses to Sign-up instead, since they do not have OSM account.
3. User fills up email, password, display name, and submits the form.
4. User accepts the terms, and confirmation email is sent to them
5. After clicking the link in the email, they see "welcome" screen. The authorization of the 3rd party app has been interrupted.

To complete the authorization user needs to restart the process by initiating authorization of the app with OSM again, when
 OSM displays authorization screen, after accepting it, the authorization is completed. Typical web application would regain control of the flow at this time.

Similar flow happens when user uses "Login-with" instead of creating username/password OSM account. When email verification is not necessary, this becomes the only step where the flow is terminated:

1. User initiates authorization of the app with OSM from the 3rd party app
2. User sees OSM login page, and choses to use one of "Log-in with..." buttons.
3. User fills up display name, clicks "Sign-up"
4. User accepts the terms, and submits the form
5. If email verification is not performed, user would be redirected directly to "welcome" page. The authorization of the 3rd party app has been interrupted.

To complete the authorization user needs to restart the process by initiating authorization of the app with OSM.

I have observed this behaviour with several applications, JOSM, osmcha, Map builder, to name a few. I believe it is named "semi-automatic" in JOSM for this reason.


### Description


Prevent "welcome" screen to interrupt Oauth flow in the above scenarios.

Proposal, one of the following:

1. Skip "welcome" screen entirely if creating the user is initiated from Oauth flow:
    - If there is no email confirmation, after accepting the terms, user would be redirected to authorization page
    - If confirmation email is sent, the link in the email would redirect user directly to authorization page, after potentially having them sign-in if necessary
2. Add an additional "Continue with Authorization" button to Welcome screen that would be displayed only during Oauth flow. Again, even when user came to "welcome" screen from confirmation email, the Continue button would actually redirect them to authorization page.

I would prefer the former, simply due to having one click less to "the end of the tunnel."

Creating this issue for more detailed discussion of single topic mentioned in #2287.


### Screenshots

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4246
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4246 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230913/1f8c7437/attachment.htm>

More information about the rails-dev mailing list