On Fri, May 02, 2008 at 08:25:04AM +0100, Tom Hughes wrote: > In message <[EMAIL PROTECTED]> > Christopher Schmidt <[EMAIL PROTECTED]> wrote: > > > On Fri, May 02, 2008 at 12:18:58AM +0100, Tom Hughes wrote: > >> Well I assume the client app would make a request to /api/0.5/user/token > >> or something with noraml username+password HTTP authentication and get a > >> token back that it could then use from then on. > >> > >> Though of course if the client app is doing it then it could just use > >> the HTTP auth with username+password anyway. > > > > Which is exactly the problem. A *remote server* now has access to OSM > > user credentials, which is what OAuth is designed to avoid. User > > credentials should never be in the hands of more people than they have > > to: in this case, that's you (OSM server) and the user, nobody else. > > That's what OAuth is for. > > Where did I say anything about sending the credentials to the > remote server?
If the Flash app can get them, anyone can. The flash app shouldn't be asking for user credentials. It should be redirecting the user to OSM.org to grant auth to the application. > I said the client app (ie the flash applet) asks the user for > them and sends them directly to our server. But there's no way to ensure that: that's the problem. If it can send them to OSM, it can just as easily send them to "Joe Schmoe": there's no way to force a client to do anything other than that. > A remote site would always need to get the user to login, whether that > was by redirecting to our site using OAuth to get a token authorised > (which from reading the OAuth doco seems to involve redirecting to a > login screen on our site) or by having the downloaded applet do it. Correct. But in the OAuth case, the user never gives his credentials to Joe Attacker OSM Developer. He only gives them to OSM -- he doesn't have to make a judgement call every time he wants to try a new client about whether he trusts the client or not. Currently, users make this decision whenever they use a client other than Potlatch, but (at least to me), that's a barrier that we shouldn't force users to go through. Regards, -- Christopher Schmidt MetaCarta _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/cgi-bin/mailman/listinfo/dev
