Re: [OSM-dev] oauth token lifetime
On Sat, Apr 27, 2019 at 02:40:13PM +0100, Tom Hughes wrote: > On 27/04/2019 14:37, Jiri Vlasak wrote: > > On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote: > > > On 26/04/2019 19:06, Jiri Vlasak wrote: > > > > This approach is similar to one used by HOT Tasking Manager [1]. In my > > > > "oauth > > > > settings" section I have many many "Tasking Manager 3 - Prod" tokens. > > > > And I > > > > feel this approach is not right. > > > > > > That's usually because the client is broken and is not storing the > > > token but is instead requesting a new one every time you use it. > > > > That's my guess too. So, I would like to write it better. My problem is > > that I > > am quite confused by OAuth. > > > > If I understand it correctly, OAuth is here for authorization. But, in my > > case > > (and in the case of HOT Tasking Manager), the use case is authentication. > > Yes it is really abuse of OAuth in general but is common. > > Note that OAuth 2 (in the form of OpenID Connect) has basically > merged the two use cases anyway. > > > So maybe I should ask - is it possible to authenticate to osm.org? > > Well yes, that is what OAuth does. Ofcourse. I am sorry, still learning the OAuth thing. > What is happening here is using your osm.org account to > authenticate to a third party site. That should be my question. > That works if the third party is prepared to accept you > allowing it to access osm.org as valid authentication. Anyway, I did a little bit more research in OAuth and I think that I resolved the most issues I needed. Thanks, Tom, for pointing me out! Have a nice day, jiri ___ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] oauth token lifetime
On 27/04/2019 14:37, Jiri Vlasak wrote: On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote: On 26/04/2019 19:06, Jiri Vlasak wrote: This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I feel this approach is not right. That's usually because the client is broken and is not storing the token but is instead requesting a new one every time you use it. That's my guess too. So, I would like to write it better. My problem is that I am quite confused by OAuth. If I understand it correctly, OAuth is here for authorization. But, in my case (and in the case of HOT Tasking Manager), the use case is authentication. Yes it is really abuse of OAuth in general but is common. Note that OAuth 2 (in the form of OpenID Connect) has basically merged the two use cases anyway. So maybe I should ask - is it possible to authenticate to osm.org? Well yes, that is what OAuth does. What is happening here is using your osm.org account to authenticate to a third party site. That works if the third party is prepared to accept you allowing it to access osm.org as valid authentication. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] oauth token lifetime
On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote: > On 26/04/2019 19:06, Jiri Vlasak wrote: > > This approach is similar to one used by HOT Tasking Manager [1]. In my > > "oauth > > settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I > > feel this approach is not right. > > That's usually because the client is broken and is not storing the > token but is instead requesting a new one every time you use it. That's my guess too. So, I would like to write it better. My problem is that I am quite confused by OAuth. If I understand it correctly, OAuth is here for authorization. But, in my case (and in the case of HOT Tasking Manager), the use case is authentication. So maybe I should ask - is it possible to authenticate to osm.org? Thanks a lot, jiri ___ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
Re: [OSM-dev] oauth token lifetime
On 26/04/2019 19:06, Jiri Vlasak wrote: I would like to ask about the lifetime of OAuth token. I use OSM OAuth to log into my web application. However, there is new token each time I log into the web page. I don't believe there is any expiry - once you have an access token you can use it for as long as you want. This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I feel this approach is not right. That's usually because the client is broken and is not storing the token but is instead requesting a new one every time you use it. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
