[OSM-dev] Sending messages to users
As an answer to a thread initiated by Serge Wroclawski a year ago, Alex Barth wrote: A messaging API that uses an OAuth based flow would be a great thing to have and it would be hard to abuse for spamming. Messages could only be sent from applications users have explicitly opted in to and only to users who have allowed this application to send them messages (opt-in or opt-out for messaging preferences TBD). I think the map roulette use case is a great illustration of how such a messaging API would facilitate better tools in the OSM orbit. Messaging is a huge part of building good web tools. An other good example of an application which would make good usage of a messaging API is the Tasking Manager. Even more if we consider a more robust validation process within the tool. I'm interested to know if the opinions have changed on this topic. Best regards. Pierre -- - | Pierre GIRAUD - ___ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
With this patch applied, I had to revert my application code to what it was before I started having problems (before the Ruby3 upgrade). I'm lost. Pierre On Sat, Nov 19, 2011 at 1:27 AM, Tom Hughes t...@compton.nu wrote: On 18/11/11 19:58, Tom Hughes wrote: It seems the callbacks not working with 1.0 is a bug in the plugin which I'm working on fixing now... I've sent a pull request upstream with my fix: https://github.com/pelle/oauth-plugin/pull/99 I've also patched in a fixed version of the method in our code to override the plugin for now, so OAuth 1.0 callbacks should work now. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
As already said, I don't claim any specific version. Which is somewhat wrong. Or maybe the library I use does it for me. I want to make things as clear as possible on my side before I get back to you. Pierre On Sat, Nov 19, 2011 at 12:51 PM, Tom Hughes t...@compton.nu wrote: On 19/11/11 11:45, Pierre GIRAUD wrote: With this patch applied, I had to revert my application code to what it was before I started having problems (before the Ruby3 upgrade). I'm lost. What version of OAuth are you claiming? If you're claiming 1.0 then that is probably correct because you had switched to the 1.0a way of doing things. If you're claiming 1.0a then that sounds like I have broken something :-( Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
Hey Tom, Thanks again for your efforts! I'm now using 1.0a (setting a callback when requesting a token) and it works fine again. My concerns now are to avoid the authorization multiplication ie. to prevent users from being asked several times for a permission they already gave. Shouldn't there be a mechanism that verifies that the application has already been authorized? In this application [1] described here [2], once the user has authorized the application, he can log in again and again without being asked for permission unless he goes to the profile and revokes the authorization intentionaly. [1] http://facebook-auth.appspot.com/ [2] http://facebook-python-library.docs-library.appspot.com/facebook-python/examples/oauth.html Here's the workflow (succession of pages with their respective status code or user actions): 1/ appspot home - user clicks on login link - appspot login (302) - FB authorize (302) - FB permissions.request (200) - user click on authorize button - FB permissions.request (302) - appspot home (200) 2/ appspot home - user clicks on logout link - cookies are reset 3/ appspot home - user clicks on login - appspot login (302) - FB authorize (302) - FB permissions.request (302) - appspot home (200) Is it possible to have the same behavior with 1.0a? Do I have to do something specific on my side? Or is it something that needs to be handled server-side? Cheers, Pierre On Sat, Nov 19, 2011 at 6:48 PM, Tom Hughes t...@compton.nu wrote: On 19/11/11 12:00, Pierre GIRAUD wrote: As already said, I don't claim any specific version. Which is somewhat wrong. Or maybe the library I use does it for me. That is actually valid as 1.0 is the default, and 1.0a doesn't actually use a separate version - it is triggered by the presence of the callback parameter when creating a request token. You were in fact correct that I had broken 1.0a last night when I fixed the 1.0 callback handling... That is now fixed, and we have 240 new assertions in our test suite to try and make sure we don't break OAuth again in the future. For the record you should use 1.0a if possible as 1.0 has security issues and we should really stop allowing it - we just need to make Potlatch and JOSM use 1.0a first... Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
I'm probably missing something obvious. My apologizes if it's actually the case. I don't know if we can trust that, but in the facebook example previously given, they're talking about OAuth 2.0. Anyway, my problem is that I cannot really cache the access token and the corresponding secret. My application is a web application. Users connect via a browser. My application doesn't deal with any authentication itself. I cannot therefore store (in a database) any token for a user because I don't know which user is actually connected before he logs in using the OSM OAuth service. Well I'm already storing the username (which is the only information I need actually) in a cookie so that they don't have to re-log in if they close their browser. But this cookie expires when it is 2 weeks old. I don't really want a cookie that never expires. I can't tell why. When the cookie expires, the user is then anonymous and is invited to log in using OSM authorization before he can use the application. I can of course save the information about the token in a cookie as well, but I cannot ensure that the cookie will not be deleted. If so, the user will be asked for permission again. Which means a new entry in the list of authorized applications in the user's oauth settings on the OSM site. An other good example, is the log on twitter on yfrog. As far as I know, twitter uses OAuth. If you go to yfrog.com, you can sign in with twitter. Then you can sign out and sign in again. Each time, you sign in, you're asked to authorize the application to access your twitter data. However, if you go to your twitter account settings. In the application tab, you can see an entry for yfrog (and only one). Even more, it's the first one you accepted. I hope this makes sense. Pierre On Sat, Nov 19, 2011 at 8:28 PM, Tom Hughes t...@compton.nu wrote: On 19/11/11 19:15, Pierre GIRAUD wrote: My concerns now are to avoid the authorization multiplication ie. to prevent users from being asked several times for a permission they already gave. Well just carry on using the same access token that you got the first time. You only get proliferation if you keep restarting the process by getting a new request token, authorising it, and then converting it to an access token. Shouldn't there be a mechanism that verifies that the application has already been authorized? Yes - your possession of the access token and it's secret is how you prove that you have been authorized. If you hang on to those and reuse them then we will continue to allow you access. In this application [1] described here [2], once the user has authorized the application, he can log in again and again without being asked for permission unless he goes to the profile and revokes the authorization intentionaly. [1] http://facebook-auth.appspot.com/ [2] http://facebook-python-library.docs-library.appspot.com/facebook-python/examples/oauth.html Facebook is not directly comparable because it doesn't use OAuth as far as I know. It uses the proprietary Facebook Connect protocol. I don't know the details of how the Facebook protocol works, but it is certainly possible to do what you want with OAuth. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
Here's an other good example. http://www.jaisenmathai.com/sign_in_with_twitter/start.php Even better, the authorization step is only required once, unless you manually revoke permission on the twitter account settings. Pierre On Sun, Nov 20, 2011 at 12:10 AM, Pierre GIRAUD pierre.gir...@gmail.com wrote: I'm probably missing something obvious. My apologizes if it's actually the case. I don't know if we can trust that, but in the facebook example previously given, they're talking about OAuth 2.0. Anyway, my problem is that I cannot really cache the access token and the corresponding secret. My application is a web application. Users connect via a browser. My application doesn't deal with any authentication itself. I cannot therefore store (in a database) any token for a user because I don't know which user is actually connected before he logs in using the OSM OAuth service. Well I'm already storing the username (which is the only information I need actually) in a cookie so that they don't have to re-log in if they close their browser. But this cookie expires when it is 2 weeks old. I don't really want a cookie that never expires. I can't tell why. When the cookie expires, the user is then anonymous and is invited to log in using OSM authorization before he can use the application. I can of course save the information about the token in a cookie as well, but I cannot ensure that the cookie will not be deleted. If so, the user will be asked for permission again. Which means a new entry in the list of authorized applications in the user's oauth settings on the OSM site. An other good example, is the log on twitter on yfrog. As far as I know, twitter uses OAuth. If you go to yfrog.com, you can sign in with twitter. Then you can sign out and sign in again. Each time, you sign in, you're asked to authorize the application to access your twitter data. However, if you go to your twitter account settings. In the application tab, you can see an entry for yfrog (and only one). Even more, it's the first one you accepted. I hope this makes sense. Pierre On Sat, Nov 19, 2011 at 8:28 PM, Tom Hughes t...@compton.nu wrote: On 19/11/11 19:15, Pierre GIRAUD wrote: My concerns now are to avoid the authorization multiplication ie. to prevent users from being asked several times for a permission they already gave. Well just carry on using the same access token that you got the first time. You only get proliferation if you keep restarting the process by getting a new request token, authorising it, and then converting it to an access token. Shouldn't there be a mechanism that verifies that the application has already been authorized? Yes - your possession of the access token and it's secret is how you prove that you have been authorized. If you hang on to those and reuse them then we will continue to allow you access. In this application [1] described here [2], once the user has authorized the application, he can log in again and again without being asked for permission unless he goes to the profile and revokes the authorization intentionaly. [1] http://facebook-auth.appspot.com/ [2] http://facebook-python-library.docs-library.appspot.com/facebook-python/examples/oauth.html Facebook is not directly comparable because it doesn't use OAuth as far as I know. It uses the proprietary Facebook Connect protocol. I don't know the details of how the Facebook protocol works, but it is certainly possible to do what you want with OAuth. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
Hey! The problem is fixed. You were right. The problem came also from a missing verifier parameter. I actually don't set the version in the requests. Which is definitely wrong. I also need to read the docs a bit more because I think I also have an issue with the user authorization step. A new item is added in the user's authorised applications. Which is ackward. Thanks for help anyway. Pierre. Envoyé de mon iPhone Le 18 nov. 2011 à 20:14, Tom Hughes t...@compton.nu a écrit : On 18/11/11 16:59, Pierre GIRAUD wrote: Giving details on what you did on the tester helped me a lot. I can confirm that the callback is correctly used. The difference is that I used to set the callback in the authorize call. Putting it earlier in request_token request helped me going a step further. After investigating further, it seems that passing the callback to authorize is the OAuth 1.0 way of doing things - in 1.0a it was change so that you pass it to request_token instead. The callback (in 1.0a) is then given a verifier that needs to be passed back to get the access token - maybe that is where your access token problems are? Anyway, we are supposed to have 1.0 turned on still, so I will need to look into why that isn't working. Using 1.0 without a callback (as Potlatch 2 does) is working. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
Hi, I had a look at the oauth-plugin code (https://github.com/pelle/oauth-plugin) which is supposed to be used in OSM website to find where there could be an issue. I suspect something goes wrong in the oauth1_authorize method: https://github.com/pelle/oauth-plugin/blob/master/lib/oauth/controllers/provider_controller.rb#L101 If I understand correctly, the browser should be redirected to redirect_url. This redirect_url value comes either: - from the application settings (as set by user when registering the application) if oob is given as value for oauth_callback, - or, from the oauth_callback value set in parameters if not equal to oob. If redirect_url is empty, then authorize success is rendered. I'm pretty sure that the latter is the case I'm currently facing. Can someone please confirm I'm right? Once again, as a test, you can try to login in http://tasks.hotosm.org, or maybe use this client tester http://term.ie/oauth/example/client.php. I can provide advices on how to use the latter. Thanks a lot. Pierre On Thu, Nov 17, 2011 at 10:01 AM, Tom Hughes t...@compton.nu wrote: On 17/11/11 08:58, Andy Allan wrote: On 17 November 2011 06:59, Pierre GIRAUDpierre.gir...@gmail.com wrote: Can you point me to urls to show me what changed recently ? (commits, diffs) https://github.com/openstreetmap/openstreetmap-website/network The what changed recently was that we upgraded from rails 2.x to 3.1 - so many things needed changing. You can see the commits that were rebased onto master, there's plenty of them, and lots of plugins have changed too. It's unlikely that the diffs will help you figure out what changed, since so much has! I guess if you can reproduce the issue then a binary search might help, but it's likely to be a plugin upgrade or some other large change. Correct - the oauth and/or oauth-plugin gems are probably involved especially as the oauth-plugin gem is an rc not a final release. What should be happening is that the rack module in oauth-plugin should be setting the token_callback_url on the ClientApplication object, which is then propagated to the RequestToken. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
On Wed, Nov 16, 2011 at 8:11 AM, Tom Hughes t...@compton.nu wrote: On 16/11/11 07:00, Pierre Giraud wrote: Am I the only one to have encountered issues with the OAuth service since yesterday? It doesn't seem to respond anymore. Well Potlatch uses it, so if it wasn't working I think we would have had a few complaints by now. Equally I used JOSM yesterday after the rails upgrade and that was working fine. I just tested JOSM by setting explicitely that I wanted to use the OAuth authentication. And I received an error when getting the access request. Curiously using the for development and testing purposes urls is OK [2]. I can't use them in my application though. I get 503 Unauthorized errors, as if my application wasn't registered. To be honest I'm amazed that is working at all - it must just still be running the old rails 2 code. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- Pierre GIRAUD Géomaticien, Analyste Camptocamp France SAS Savoie Technolac, BP 352 73377 Le Bourget du Lac, Cedex Tel : 00 33 4 79 44 44 93 Mail : pierre.gir...@camptocamp.com http://www.camptocamp.com ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
Indeed, that's better. There's still a problem though. The oauth_callback doesn't seem to be taken into account. For your information, the application I've developing is http://tasks.hotosm.org. Pierre On Wed, Nov 16, 2011 at 11:47 PM, Tom Hughes t...@compton.nu wrote: On 16/11/11 17:25, Pierre Giraud wrote: I just tested JOSM by setting explicitely that I wanted to use the OAuth authentication. And I received an error when getting the access request. I think it should be fixed now. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] OAuth down
Can you point me to urls to show me what changed recently ? (commits, diffs) Thanks a lot. On Thu, Nov 17, 2011 at 1:47 AM, Tom Hughes t...@compton.nu wrote: On 16/11/11 22:56, Pierre GIRAUD wrote: There's still a problem though. The oauth_callback doesn't seem to be taken into account. I can't see any obvious reason for this, and I don't really have a way to test it. The code that handles this is largely in the plugins we use rather than our code. It looks like callbacks specified when the application is registered are working, but the code looks like it should be handling callbacks specified when the request token is generated as well. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- - | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud - ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev
[OSM-dev] OAuth down
Hi all, Am I the only one to have encountered issues with the OAuth service since yesterday? It doesn't seem to respond anymore. Curiously using the for development and testing purposes urls is OK [2]. I can't use them in my application though. I get 503 Unauthorized errors, as if my application wasn't registered. Can someone give it a try? Maybe fix it? Or give me tips for a workaround? Thanks a bunch. Pierre [1] http://www.openstreetmap.org/oauth/request_token [2] http://api06.dev.openstreetmap.org/oauth/request_token -- Pierre GIRAUD Géomaticien, Analyste Camptocamp France SAS Savoie Technolac, BP 352 73377 Le Bourget du Lac, Cedex Tel : 00 33 4 79 44 44 93 Mail : pierre.gir...@camptocamp.com http://www.camptocamp.com ___ dev mailing list dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/dev