Hi, Karl Guggisberg wrote: >> Probably right although I'm sure a way can be found to save the user from >> having to cut+paste the token. > I'm afraid, it can't. If JOSM was a web application, it would be part of the > OAuth protocol that the OSM > website "calls back" JOSM with the request token. For a java rich client this > is isn't possible.
I quizzed Matt Amos about this and he said: no, the callback isn't necessary. it's a good idea, if josm isn't going to use it, to have it direct to a "thanks, you can close this window" static page, though. the app already knows the token, as it negotiated it with the server. the only reason for the callback is to help web-apps stay stateless. for example, if the app associates the token with session 1, but the user doesn't log in immediately or signs up and gets redirected via their email client for email validation then when they follow the callback it could be in session 2. so the callback is just there to help tie the sessions together. josm will already have the unauthorised request token when it sends the user to log in. it then has to make a final call to swap the newly authorised request token for an access token. Bye Frederik _______________________________________________ josm-dev mailing list josm-dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/josm-dev