OAuth 1.0a and HTTP Basic Auth shutdown

I have just confirmed that OAuth 1.0 is still enabled on the OpenStreetMap website by following the non-1.0a authorization flow. The final response did not include the verifier token (that is only present in 1.0a).

From [Announce] Removing OAuth 1.0a and HTTP Basic Auth - 1st June 2024 :

PS: OAuth 1.0 (not 1.0a) was previously erroneously enabled, but has now been disabled.

We have now started brownouts of HTTP Basic Authentication and OAuth 1.0a support. For periods of a few hours OpenStreetMap.org may not accept HTTP Basic Authentication and OAuth 1.0a and will provide an error which points at 2024 authentication update - OpenStreetMap Wiki

The brownouts are an attempt by us to flag to developers about the upcoming demise of HTTP Basic Authentication and OAuth 1.0a authentication methods.

6 Likes

How many is “few hours”, though?

I’ve got "OAuth error 401 at stage "create": Couldn't authenticate you."_ trying to edit with Level0 day and a half ago (on May 26 2024 at 22:15 CEST), and it still returns same error yesterday (at some unidentified times) and today (May 28 2024 at 14:47 CEST).

It might be that I’m just extremely unlucky and every time I try I hit the brownout period, or it could be something else (bug in reenabling?)

Any more information on the schedule when I can try to upload my pending changes lest they be lost? Can you share @Firefishy at what periods of following days before June 1st will Outh1.0a be still allowed?

2 Likes

We’ve only done one so far and that was between about 08:00 and 10:00 UTC on the 27th.

There will be another one around 1300 UTC tomorrow, and then around 1800 UTC on Friday.

2 Likes

Thanks for the information.

Since Level0 still showed problems at May 28 17:44 CEST for me, I’ve removed its Oauth1 entry in my settings, logged out and back in again, and now it works again at May 28 17:47 CEST.

(Why it didn’t auto-recover after brownout despite multiple force-refreshes, I have no idea, but maybe the procedure will help others.)

Note that @Firefishy’s post says:

PS: OAuth 1.0 (not 1.0a) was previously erroneously enabled, but has now been disabled.

That might explain why Oauth1.0 was not working at times outside of the brownout. A similar problem elsewhere is here.

Is this the right place to ask for directions if every attempt to authorise has failed (since June the 9th)?

1 Like

What are you trying to authorise, on what platform, and when did your attempt fail?

3 Likes

Sorry for the POV.

I have tried to connect to OSM with JOSM. Both the fully automatic, semi-automatic and manual method failed.

The fully automatic process tells me that it failed and that I shouild try it again or any of the other methods.

The semi-automatic process starts an external browser that tries to access the page “OpenStreetMap”. After 50 minutes I closed the browser as it was still loading.

The manual process asks me for a key and a secret code that I don’t have. I have copied the default settings but this failed.

OAuth 2 in JOSM only has Fully Automatic and Manual options. It sounds like you are using OAuth 1.0 instead of OAuth 2.0. If you do not see OAuth 2.0, then you need to update JOSM.

2 Likes

See also JOSM Authorisation at the OSM server failed. The server reported the following error: 'HTTP Basic Authentication is disabled: https://wiki.openstreetmap.org/wiki/2024_authentication_update (Code=403)' and [OAuth] aktueller Tipp für JOSM Benutzer. Note that there is button for translation below every post.

2 Likes

12 posts were split to a new topic: Issues upgrading JOSM

What is the status of deprecating HTTP basic auth? Just a few minutes ago I tested with upload.py and I was successfully able to submit the changeset to https://api.openstreetmap.org/

We have postponed the change until 1st July 2024. Basic Auth will still work unless testing during a brown-out window.

1 Like

Might be worth subscribing to wiki 2024 authentication update - OpenStreetMap Wiki to get notifications of changes as they happen. (as noted, it has been postponed to 1 July 2024.)

I’ve ported upload.py to OAuth2: GitHub - Zverik/osm-bulk-upload: Clone/improvements over Openstreetmap's https://wiki.openstreetmap.org/wiki/Upload.py

2 Likes

Hi,
since some years I use a PHP library from Ken Guest GitHub - pear/Services_Openstreetmap: Makes communicating with the Open Street Map API, and Nominatim, from PHP intuitive. to enrich OSM objects with wikidata tags. Just noticed now, that my scripts don’t work anymore. Found out, that the library still only supports basic authentication :frowning:
It seems, that Ken Guest isn’t very active in this project anymore. Maybe there is someone out there, who is able to write an OAuth2 extension for this library? Would be very helpful for me (and other users of this library).
Many thhanks in advance, Sascha

have you seen this issue there? There seems to be working Oauth2 fork. – Oauth 2.0? · Issue #229 · pear/Services_Openstreetmap · GitHub

Hi Matija,
thanks for notification! The fork is my own creation :wink:

1 Like