> On the technical side, things are even worse. The elephant in the room is
> OAuth. OAuth is built on in particular the assumptions that
> - the consumer ("the website") acts stateful
> - sessions are relatively long-lived, i.e. some seconds to some hours
> - the identity provider has the cross-origin assets
> All three are not true for Overpass API which means that I have to work
> around OAuth or significantly mess with it.
Just wanted to respond to the technical part of this - my impression was that
embedding a policy change into an OAuth flow wouldn’t be too intrusive.
I was assuming that server side they would just revoke everyone’s OAuth tokens
for certain apps (essentially forcing everyone as logged out).
When using the OAuth app, at some point the user would need to log in. They'd
be presented with the same screen requesting account permissions, but then
might be redirected through an extra screen that explains the privacy policy
and asks the user to read and check a box before continuing. This screen could
appear only if their account hasn’t already accepted the policy. Finally OAuth
would call back to your app with the secrets like it normally would.
I could be misunderstanding - Hopefully someone will correct me if I’m wrong :)
Thanks, Bryan
_______________________________________________
dev mailing list
[email protected]
https://lists.openstreetmap.org/listinfo/dev
