Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Serge Wroclawski]

On Mon, May 9, 2011 at 11:56 AM, Kai Krueger  wrote:
>
> Serge Wroclawski-2 wrote:
>>
>> The first solution, using OAuth against what was a RESTful API, is bad.
>>
>
> Whether OAuth fits the ideology of a RESTful API or not, it is already
> heavily used in OpenStreetMap.

One of the strengths of OSM is its clear, simple API. It's actually
one the best APIs I've seen in the wild. You're proposing to break the
API and the design methodology that the API is built on.

> OAuth is the preferred method of authenticating JOSM against the API, it is
> the only(?) way that Potlatch 2 can authenticate, various other editors and
> POI collectors currently use OAuth and it is the recommended way to talk to
> the API. If I remember correctly at some point even the idea of disabling
> password based authentication was briefly maintained to prevent the password
> being sent in cleartext all the time.

Let's not forget that we're discussing OpenID, not OAuth, but
secondly, everything related to authentication has security
implications. The one you mentioned is easily fixed with SSL.

OpenID itself has an issue a few days ago:

http://openid.net/2011/05/05/attribute-exchange-security-alert

> So given that OAuth is already heavily used, I don't see an issue with
> relying on it for the purpose of OpenID.

I don't have a problem with, and even like OAuth, except when it comes
to the API. I don't like the idea of OAuth being required for a
RESTful API.

- Serge

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Kai Krueger]

Serge Wroclawski-2 wrote:
> 
> The first solution, using OAuth against what was a RESTful API, is bad.
> 

Whether OAuth fits the ideology of a RESTful API or not, it is already
heavily used in OpenStreetMap.

OAuth is the preferred method of authenticating JOSM against the API, it is
the only(?) way that Potlatch 2 can authenticate, various other editors and
POI collectors currently use OAuth and it is the recommended way to talk to
the API. If I remember correctly at some point even the idea of disabling
password based authentication was briefly maintained to prevent the password
being sent in cleartext all the time.

So given that OAuth is already heavily used, I don't see an issue with
relying on it for the purpose of OpenID. 

And should you really want to use one of those few applications that don't
support OAuth yet, there is the option of still using the password, although
indeed that would defeat much of the purpose of OpenID.

Kai  

--
View this message in context: 
http://gis.638310.n2.nabble.com/User-diary-enhancements-subscriptions-Facebook-Twitter-integration-tp6340003p6344736.html
Sent from the General Discussion mailing list archive at Nabble.com.

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Matt Amos]

On Mon, May 9, 2011 at 12:51 AM, Samat K Jain  wrote:
> On Saturday, May 07, 2011 08:26:28 AM Kai Krueger wrote:
>> Yes, there is a fully functional OpenID implementation.
>> http://openid.dev.openstreetmap.org/
>>
>> However, it currently doesn't seem to have the political support necessary
>> to get it merged. But perhaps if enough people express their interest this
>> might change.
>
> What exactly do OpenID supporters need to do to express the requisite 
> political support?
>
> The last thread on OpenID was one I started back in February:
>
>  http://gis.638310.n2.nabble.com/OpenID-for-OpenStreetMap-td6010177.html
>
> This thread is repeating arguments already made…

as in the thread that you refer to:

On Feb 10, 2011; 9:15am, TomH wrote:
> Because there are a few outstanding issues with the implementation (yes,
> we have an implementation) that we need to resolve first.
>
> Actually, they're mostly not with the implementation but with the fact
> that the unit tests are currently broken on that branch. I know how to
> fix that now, but I haven't had time to do it.

this is not a matter of political support, but a matter of fixing the
broken unit tests for OpenID support. however, it seems that no-one
really wants OpenID support enough to spend the time to fix them.

i'm sure if you asked TomH nicely, he'll explain in more detail what
needs to be done, if anyone feels like getting their hands dirty.

cheers,

matt

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Serge Wroclawski]

On Mon, May 9, 2011 at 3:13 AM, Frederik Ramm  wrote:
> Hi,
>
> On 05/09/2011 06:21 AM, Serge Wroclawski wrote:
>>
>> The API is RESTful, and therefore should hold no state. OAuth is
>> precisely the opposite of that.
>
> One could argue that at least the write API (which is the one mainly
> requiring authentication) is stateful already because you have to open a
> changeset and refer to that in every request.

They could argue that, but they would be wrong. :)

Statefulness in this context refers to the connection state. Neither
the server nor client should be have to keep any connection state in
between HTTP connections..

Changesets aren't part of the HTTP connection state.

- Serge

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Frederik Ramm]

Hi,

On 05/09/2011 06:21 AM, Serge Wroclawski wrote:

The API is RESTful, and therefore should hold no state. OAuth is
precisely the opposite of that.


One could argue that at least the write API (which is the one mainly 
requiring authentication) is stateful already because you have to open a 
changeset and refer to that in every request.


Bye
Frederik

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Serge Wroclawski]

On Sat, May 7, 2011 at 1:56 PM, Kai Krueger  wrote:
>
> Serge Wroclawski-2 wrote:
>>
>> How does authentication work on the API level with OpenID?
>>
> Preferably through OAuth

The API is RESTful, and therefore should hold no state. OAuth is
precisely the opposite of that.

> but the account can/should still have a password

The basic point of OpenID is that you get rid of the need for the user
to have credentials per site, and allow the provider to handle
authentication how it sees fit.

The first solution, using OAuth against what was a RESTful API, is bad.

The second solution, of offering a second form of authentication,
isn't awful, but it's a bit confusing. Then we either have some users
who are entirely OpenID, and others who aren't, or else we have all
users with passwords, like we do now, and so what's the point of the
OpenID?

- Serge

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Samat K Jain]

On Saturday, May 07, 2011 08:26:28 AM Kai Krueger wrote:
> Yes, there is a fully functional OpenID implementation.
> http://openid.dev.openstreetmap.org/
> 
> However, it currently doesn't seem to have the political support necessary
> to get it merged. But perhaps if enough people express their interest this
> might change.

What exactly do OpenID supporters need to do to express the requisite political 
support?

The last thread on OpenID was one I started back in February:

  http://gis.638310.n2.nabble.com/OpenID-for-OpenStreetMap-td6010177.html

This thread is repeating arguments already made…
  
-- 
Samat K Jain  | GPG: 0x4A456FBA

When I get real bored, I like to drive downtown and get a great parking spot, 
then sit in my car and count how many people ask me if I'm leaving.
-- Steven Wright (558)

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Kai Krueger]

Serge Wroclawski-2 wrote:
> 
> How does authentication work on the API level with OpenID?
> 
Preferably through OAuth, but the account can/should still have a password
associated just like before in case you need basic auth in the API


--
View this message in context: 
http://gis.638310.n2.nabble.com/User-diary-enhancements-subscriptions-Facebook-Twitter-integration-tp6340003p6340521.html
Sent from the General Discussion mailing list archive at Nabble.com.

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Serge Wroclawski]

On Sat, May 7, 2011 at 1:07 PM, Kai Krueger  wrote:


> For example, if you hit the edit button without having an account, you get
> redirected to the login page. If you then hit e.g. the gmail button you will
> automatically get to the create account page with some of the details
> already pre-filled in (coming from the OpenID provider) You then only have
> to confirm the account creation and the CT. Once done, you are logged in and
> automatically referred back to Potlatch for editing.

How does authentication work on the API level with OpenID?

- Serge

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Kai Krueger]

Frederik Ramm wrote:
> 
> Also, don't misunderstand how the OpenID login works - you will still 
> have to create an account with OSM, it's only that your everyday login 
> will be simplified. So anyone for whom the signup is an insurmountable 
> hurdle will not join - whether we support OpenID or not.
> 

You do still need to create an account, but OpenID does hopefully make that
step easier too.

For example, if you hit the edit button without having an account, you get
redirected to the login page. If you then hit e.g. the gmail button you will
automatically get to the create account page with some of the details
already pre-filled in (coming from the OpenID provider) You then only have
to confirm the account creation and the CT. Once done, you are logged in and
automatically referred back to Potlatch for editing.

If you are using an OpenID provider that returns an email address we can
trust (e.g. gmail), you also no longer need to confirm your email address.

So you should be able to start editing from not having an account within 4
or 5 clicks. (I haven't checked to verify the exact number)

Not entirely seamlessly, but hopefully easier than the current workflow of
creating an account.

Kai


--
View this message in context: 
http://gis.638310.n2.nabble.com/User-diary-enhancements-subscriptions-Facebook-Twitter-integration-tp6340003p6340438.html
Sent from the General Discussion mailing list archive at Nabble.com.

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Frederik Ramm]

Hi,

Mike N wrote:

Facebook is imho less likely, as as far as I know, it uses a proprietary
protocol and so I would be less enthused to support that.


It depends on the type of mapper we're trying to attract.  Using the 
Facebook login will be the simplest possible way to get started for many 
people.


I agree with Kai that supporting proprietary data-gathering platforms 
like Facebook would be very low on my list, or maybe even actively 
opposed by me.


Also, don't misunderstand how the OpenID login works - you will still 
have to create an account with OSM, it's only that your everyday login 
will be simplified. So anyone for whom the signup is an insurmountable 
hurdle will not join - whether we support OpenID or not.


Bye
Frederik

--
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Mike N]

On 5/7/2011 10:26 AM, Kai Krueger wrote:

Facebook is imho less likely, as as far as I know, it uses a proprietary
protocol and so I would be less enthused to support that.


It depends on the type of mapper we're trying to attract.  Using the 
Facebook login will be the simplest possible way to get started for many 
people.


___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Kai Krueger]

Frederik Ramm wrote:
> 
> Well I'd say that OpenID is enough. And there's an OpenID branch of the 
> Rails Port that already goes so some length supporting that.
> 
Yes, there is a fully functional OpenID implementation.
http://openid.dev.openstreetmap.org/

However, it currently doesn't seem to have the political support necessary
to get it merged. But perhaps if enough people express their interest this
might change.

It currently only supports OpenID, so it doesn't work with Twitter or
Facebook, as they have implemented their own login protocol, however it does
work with things like gmail and yahoo mail and any other provider supporting
OpenID, which is quite a number.

It would be possible to support login via twitter as well, should the OpenID
branch ever get deployed, as it uses an authentication based on OAuth, which
shouldn't be too difficult to implement.

Facebook is imho less likely, as as far as I know, it uses a proprietary
protocol and so I would be less enthused to support that.

Kai


--
View this message in context: 
http://gis.638310.n2.nabble.com/User-diary-enhancements-subscriptions-Facebook-Twitter-integration-tp6340003p6340182.html
Sent from the General Discussion mailing list archive at Nabble.com.

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Martijn van Exel]

Hi,

On Sat, May 7, 2011 at 2:29 PM, Frederik Ramm  wrote:

> Hi,
>
>
> Josh Doe wrote:
>
>> That got me wondering about adding the possibility to share posts with
>> Facebook/Twitter/etc, and then even allowing login to OSM with
>> Facebook/OpenID, and who knows what else.
>>
>
> Well I'd say that OpenID is enough. And there's an OpenID branch of the
> Rails Port that already goes so some length supporting that.
>
>
>  I know we need to be careful
>> about not trying to implement a full blown blogging platform, but I
>> think it's important to have some of these features.
>>
>
> We might also go in the other direction, acknowledge that we're not a
> blogging platform, and try for better integration with sites that are... new
> users already seem to be quite confused by the multitude of options to
> express oneself in OSM.
>
>
There's already blogs.openstreetmap.org that aggregates OSM-related
blogging. I have posted only a few diary entries over the years, and to me
the diary system does not make a lot of sense unless there's tighter
integration with changesets or the map, but then again, I haven't done a
thing to improve the diary system myself, so what am I even talking about.

-- 
Martijn van Exel
http://about.me/mvexel
___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Frederik Ramm]

Hi,

Josh Doe wrote:

That got me wondering about adding the possibility to share posts with
Facebook/Twitter/etc, and then even allowing login to OSM with
Facebook/OpenID, and who knows what else.


Well I'd say that OpenID is enough. And there's an OpenID branch of the 
Rails Port that already goes so some length supporting that.



I know we need to be careful
about not trying to implement a full blown blogging platform, but I
think it's important to have some of these features.


We might also go in the other direction, acknowledge that we're not a 
blogging platform, and try for better integration with sites that are... 
new users already seem to be quite confused by the multitude of options 
to express oneself in OSM.


Bye
Frederik

--
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[David Earl]

On 07/05/2011 13:05, Josh Doe wrote:

That got me wondering about adding the possibility to share posts with
Facebook/Twitter/etc,


You can already get them on twitter by following @osmblogs

David




___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Serge Wroclawski]

On Sat, May 7, 2011 at 8:05 AM, Josh Doe  wrote:
> Has there been any discussion of enhancing the user diary system? I
> couldn't find any discussions on the wiki or lists, but please point
> me to them if they exist.

Yes, there has. In a number of ways, and different people have different ideas.

> My number one suggestion is that we allow users to subscribe to
> certain diary posts. I'll comment on an entry, and then someone will
> follow up, but I'll have no idea unless I remember to go back and
> check.

If you feel strongly about it, code it up, demonstrate it and submit
it as a patch.

> I don't know anything about Ruby or Rails, but maybe someday I could
> take a stab at it myself, or maybe someone here has the interest and
> skills.

The way things get done in the project is by demonstrating them.
Discussions take weeks/months/years but if you can show demonstratable
code, there's a much higher likelyhood of it being accepted into the
mainstream code base.

The rails port is in git (so it's easy to fork and get started), and
has a dev environment with sample data so you can jump right in.

- Serge

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

[OSM-talk] User diary enhancements, subscriptions, Facebook/Twitter integration

[Josh Doe]

Has there been any discussion of enhancing the user diary system? I
couldn't find any discussions on the wiki or lists, but please point
me to them if they exist.

My number one suggestion is that we allow users to subscribe to
certain diary posts. I'll comment on an entry, and then someone will
follow up, but I'll have no idea unless I remember to go back and
check.

That got me wondering about adding the possibility to share posts with
Facebook/Twitter/etc, and then even allowing login to OSM with
Facebook/OpenID, and who knows what else. I know we need to be careful
about not trying to implement a full blown blogging platform, but I
think it's important to have some of these features.

I don't know anything about Ruby or Rails, but maybe someday I could
take a stab at it myself, or maybe someone here has the interest and
skills.

Regards,
-Josh

___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk