Use OAuth 2.0 #33
Comments
|
I found this issue while doing a bit of research for openstreetmap/operations#867 As you've probably seen in the OWG announcement a while ago, OAuth 1.0a will be deprecated in the near future. This will likely happen some time early 2024... |
|
The library uses A PR is of course always welcome. |
|
@tsmock has done all OAuth 2.0 related developments for JOSM earlier this year. Maybe he could help out with a few pointers to the current implementation. From https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/data/oauth it seems to me that he's using a custom implementation, but I haven't looked much into details yet. |
|
Yes, we (JOSM) are using a custom implementation (the spec isn't that hard -- a good chunk of the code is for parts of the spec that aren't used by OSM yet). I am willing to split it out like JMapViewer so that other people can reuse it. I didn't write it specifically with reuse in mind, but I don't think it would be too difficult to split out. |
|
Note, |
|
Realistically the RFC 8414 compliant endpoints should be used. Those would be https://www.openstreetmap.org/.well-known/oauth-authorization-server and https://api.openstreetmap.org/.well-known/oauth-authorization-server (which redirects to www). The JOSM code does look for that on non-OSM endpoints, but that will probably change so that we don't have URL endpoints hardcoded into the application. |
|
@tsmock : ah good to know, this was giving me a hard time when trying to figure out how to use the dev instance in JOSM. https://master.apis.dev.openstreetmap.org/.well-known/oauth-authorization-server doesn't seem to be working there. In a similar way, it also doesn't work with a local Rails instance: http://localhost:3000/.well-known/oauth-authorization-server doesn't exist either. |
|
You can poke me on IRC ( With all that said, I would not have hardcoded the OSM server URL if the OSM server had supported RFC 8414 when I was doing the implementation. |
|
(By the way, the amount of doc comments in the JOSM code is awesome.) I might be looking into this ticket next week |
|
@tsmock How did you test it? https://master.apis.dev.openstreetmap.org/.well-known/oauth-authorization-server does not exist, https://master.apis.dev.openstreetmap.org/oauth2/authorize does exist, but https://master.apis.dev.openstreetmap.org/oauth2/token doesn't. |
|
FWIW there's still some pending issue with the dev instance: openstreetmap/operations#1002 I'm not entirely clear if the openid scope issue also impacts other oidc functionality, since this is all handled by the Doorkeeper gem. I think you need a POST request for this one, it will not work with GET. |
|
@westnordost : Since it was not a write action I was testing, I used the main OSM api once I saw that the dev api had issues. Either auth would work, or it would fail; it had no relation to the actual data being sent. I also wrote some tests in JOSM core using wiremock; not perfect, but once I had "known-good" sample responses, I could test each part semi-independently. EDIT: JOSM tests: https://github.com/JOSM/josm/blob/master/test/unit/org/openstreetmap/josm/data/oauth/OAuth20AuthorizationTest.java |
|
By the way, the dev instance should be working now: https://master.apis.dev.openstreetmap.org/.well-known/oauth-authorization-server |
OpenStreetMap suppors OAuth 2.0 now. The OAuth 1.0a implementation should be switched out.
The text was updated successfully, but these errors were encountered: