On Fri, May 02, 2008 at 12:18:58AM +0100, Tom Hughes wrote: > Well I assume the client app would make a request to /api/0.5/user/token > or something with noraml username+password HTTP authentication and get a > token back that it could then use from then on. > > Though of course if the client app is doing it then it could just use > the HTTP auth with username+password anyway.
Which is exactly the problem. A *remote server* now has access to OSM user credentials, which is what OAuth is designed to avoid. User credentials should never be in the hands of more people than they have to: in this case, that's you (OSM server) and the user, nobody else. That's what OAuth is for. Regards, -- Christopher Schmidt MetaCarta _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/cgi-bin/mailman/listinfo/dev
