On Wed, Apr 22, 2009 at 7:43 AM, Frederik Ramm <[email protected]> wrote: > Something like > > * user tells application "please revert changeset" > * application redirects user to API > * API tells user "please authenticate for application X" > * user enters credentials > * API redirects user back to application, with magic token > * application makes API requests using magic token > > I don't know how far existing technologies can be used to achieve this; > I believe OpenAuth only goes so far as to tell the application "yes, > that guy really is user abc123 at my site", it doesn't do the second bit.
OAuth does the second bit too. :-) we can certainly limit the scope of the OAuth token to a particular changeset, or to particular API calls, allowing users pretty fine-grained control over what 3rd party apps are allowed to do on their behalf. cheers, matt _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
