On Wed, Oct 7, 2009 at 2:34 PM, Lars Francke <[email protected]> wrote: > This is quite technical but it works. I assumed a few things: > - OSM switches to OAuth 1.0a, Matt Amos is aware of this and I believe > it will be done eventually. He's done great work so far. I just don't > know enough about Ruby on Rails
yes. it's on my TODO list. hopefully will come soon, but don't let it hold anything up - oauth 1.0 isn't as good as 1.0a, but it's still better than HTTP Basic Auth ;-) > - The Consumer Key and Consumer Secret provide no additional security > here as they'd have to be stored in JOSMs source code there's an alternative here - the josm server could provide this functionality, performing the OAuth setup and returning just the access token + secret to the app. this isn't any more secure, but means that the consumer key and secret do not need to be divulged. > And yes OAuth is implemented for OSM[5]. I don't know the specifics > for Java but the whole OAuth process is generally very easy to > implement for a client. A desktop client like JOSM would require some > extra steps (redirect to external browser, ...) but it shouldn't be to > hard. But until HTTPS is offered it doesn't really make sense to > switch/implement it. i tried, but the only ready-made OAuth library for java i could find used a different network stack than the one already used in josm. at this point i got scared and ran away ;-) SSL/TLS for the main site has been talked about before and there should be a admins meeting coming up soon, so i'll see what gets said there. i think it's unlikely to cover the whole API, but maybe the login page + OAuth API is enough. cheers, matt _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
