Of course. I though that huge “
” was a clear sign I was on the same team and just friendly-teasing @02JanDal . See my other post for more detailed technical essay on pros and cons of OAuth2. To be clear: I don’t have problem with OAuth2, nor with removing OAuth1. It is just that removing user/password auth without firstly implementing simple replacement like PAT (as suggested by @NorthCrab) does not sound like ideal course to me.
True. Assuming that one is safe (for whatever reason) is never very wise (nobody is, ever).
Exactly that. And as far as I can tell, all that is being asked in this whole thread AFAICT is to expose such token-generator (as you’ve written as cmdline script) as a simple web form on standard OSM web interface e.g. under https://www.openstreetmap.org/account/generate_token (or whatever). It can/should use Oauth2 under it if that is preferable, sure.
So one would click on few checkboxed what permissions they wanted to grant, add description to it, click generate token button and there it is for their use (and later deletion if needed). IIUC, it should not be “rocket science” to implement that (for someone versed in RubyOnRails (or Pyhon3 for OSM-NG case), right?
P.S. it would be great if that list of tokens had a timestamp when it was created, as well as timestamp when it was last used. So should current OAuth2 authorizations; I find it huge step backwards that Oauth2 authorization table does not have at least “Issued At” column (as Oauth1 table two tabs to the left does! That was as valuable to me as the name of the app in the past!)