[OSM-talk] Taking OSM usernames and passwords on other sites (eg Freemap)

Christopher Schmidt crschmidt at metacarta.com
Wed Mar 28 14:08:50 BST 2007

On Wed, Mar 28, 2007 at 12:56:35PM +0100, David Sheldon wrote:
> On Wed, Mar 28, 2007 at 12:27:00PM +0100, Keith Sharp wrote:
> > Would this not be an ideal opportunity to look at something like OpenID
> > for both OSM and Freemap:
> > 
> > 	http://openid.net/
> I don't think that will solve the problem, which is that Freemap will
> need to make requests to OSM pretending to be the user. Does OpenID
> support giving someone permission to be you for a short period?

That would need to be worked out seperately. I've thought about using
OpenID as a solution, and it really doesn't solve the problem: Freemap
still needs a way to say "I'm speaking on behalf of
crschmidt at crschmidt.net" to the OSM server. OpenID solves the reverse
problem: it allows Freemap to determine whether the person really is
crschmidt at crschmidt.net according to the OSM server.

A better model to examine is probably flickr, which has an API method
which generates a URL to send the user to. Once there, the user is
informed of some information (The application 'foo' is asking for
permission to 'write' to flickr on your behalf'), and then allows the
user to allow or deny. If they allow, a token is stored on Flickr's
servers, and you go back to the application and click the "I went to the
website" button: once you do so, the application can go to the server
and say "I asked earlier, did you get a positive response?" to which the
Flickr server says "yes: any time you talk, use this key to talk to me,
and I'll assume that the user is the same".

Obviously, this is a non-trivial interaction. I'm not aware of any open
source code that does this already.

Christopher Schmidt

More information about the talk mailing list