JOSM Authorisation at the OSM server failed. The server reported the following error: 'HTTP Basic Authentication is disabled: https://wiki.openstreetmap.org/wiki/2024_authentication_update (Code=403)'

I’m trying to upload edits to OSM via JOSM. This used to work fine, but now I get an error:

Authorisation at the OSM server failed.
The server reported the following error:
'HTTP Basic Authentication is disabled: https://wiki.openstreetmap.org/wiki/2024_authentication_update (Code=403)'

I’ve spent hours trying to get OAuth to work in the past, to no avail. Eventually I was ecstatic to discover that ‘HTTP Basic Auth’ was still supported, and it’s worked great for me (I use QubesOS and JOSM is installed in an ephemeral DispVM, so storing the password being stored in plaintext is not an issue at all). But now I can’t upload anything to OSM.

The link provided has no info on how to get it working.

In the past I found this guide OAuth authorisation failed - OSM Help, which says:

don’t worry, JOSM will guide you where you need to copy/paste what).

…but it never does.

How the heck do we use OAuth in JOSM? Is there a guide anywhere for this?

Before we debug this further, have you tried running JOSM outside of an
“ephemerel DispVM” just to make sure that this isn’t the reason why you
don’t get OAuth to work?

It sounds like you may need to update, if you only have Use Basic Auth and Use OAuth. There should be a button that says Use OAuth 2.0.

OAuth 2 support was added in r18650 in 2023-02-08. Please use our debian repo (see Download – JOSM for instructions) or the josm-installer package.

I was able to upload my change set by installing JOSM from the official debian backports repo.

I tried to use the JOSM version from the backports repo, as described here:

sudo echo "deb http://deb.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/backports.list
sudo apt-get update
apt-get install -t bookworm-backports josm

After executing the above commands, I now had JOSM installed = Version 19067.

I opened Edit → Preferences → OSM Server

This time the Radio Option said Use OAuth 2.0 (instead of just Use OAuth). I clicked Authorize Now (Fully automatic), and it opened a Chromium Web Browser window that prompted me for my OSM username and password. I typed my account creds and clicked Authorize.

The Browser window returned a simple OK message, and the JOSM window populated with Access Token keys.

I pressed the (now visible) Test Access Token button, and got a popup message

Successfully used the Access Token '[REDACTED]' to access the OSM server at 'https://api.openstreetmap.org/api'. You are accessing the OSM server as user '[REDACTED]' with id '[REDACTED]'.

I was then able to upload my changeset. Thank you :slight_smile:

Yup, was switched off, in fact if looking in JOSM preferences OSM server the OAuth radio box has now been greyed out (mentioned on the 19096 change log too, Changelog – JOSM ), short for get on board with OAuth2.

image

To help others find this thread, the relevant section is under Edit → Preferences → OSM Server.

Choose the Use OAuth radio button, and press the Authorize now (Fully automatic) button.

In the pop-up window, type your username and password, then press the Authorize now button. You’ll get the following error message

The automatic process for retrieving an OAuth Access Token from the OSM server failed.

Please try again or choose another kind of authorization process, i.e. semi-automatic or manual authorization

Again, the relevant section is under Edit → Preferences → OSM Server.

Choose the Use OAuth radio button, and if you instead press the Authorize now (Semi-automatic) button.

In the pop-up window, press the Retrieve Request Token button. You’ll get the following error message:

Retrieving an OAuth Request Token from 'https://www.openstreetmap.org/oauth/request_token' failed.

To be sure, first I noticed before upgrading to 19096 with the OAuth option greyed out was in 19067 when switching from OAuth2 and trying to upload and the server response was that OAuth had been switched off.

I’m running the latest version that’s available in Debian 12 = Version 18646

Does the josm-installer in the official repos verify the authenticity of everything that it downloads cryptographically?

Edit: this looks like a horribly insecure option. Ironic that the result of deprecating old auth methods “for security” is forcing people to download potentially-malicious software updates josm-installer.py · master · Debian GIS Project / josm-installer · GitLab

@vorpalblade-kaart I filed a feature request with the Debian package extrepo to include the JOSM repo:

If/When this is complete, the JOSM repo URL and signing keys will be added to the main debian repo. This will make it much easier (and more secure) for JOSM users to install JOSM from JOSM’s external repository in Debian.