But
-
you do not need one to create OSM account, you can register with just an email
-
we are not requiring 2FA or otherwise stronger accounts, it is not so hard to have piles of Wikipedia/Github/Facebook/etc accounts
Currently, but if Iām not mistaken, this was the initial scope of this thread, switching over to OAuth2 completely, which means no user/password (Correct me if Iām wrong).
Regarding the 2nd paragraph, well, you could, but it will require some further tinkering, which user/pass eliminated, for that matter.
Awesome! Let me know when you have a PR against openstreetmap-website up, and Iāll help out with a review. (though I think itās likely that youāll be requested to add it as a separate tab, but under the hood it can still use OAuth so no logic should have to change)
If you donāt want to go through the PR process it would likely still be valuable to many people here if youād put that extension in the Chrome Web Store, you could also add a link to it from the relevant wiki pages.
No, the discussion is about authentication against the OSM API only allowing using OAuth against OSM as an OAuth provider.
(itās understandable that itās confusing, as OSM is using OAuth both for authenticating the user and for authenticating against the API, so if you login using one of the third-party OAuth providers thereāll actually be two OAuth flows going on, though transparently for the API client)
1 Like
You are wrong.
It applies only to people using API (if you do not know what it means then you are not affected, though you will need to log in again into some programs such as JOSM/StreetComplete that switched to OAuth 2.0).
OSM password/logins are NOT being replaced by third part identify providers.
2 Likes
Why not GNAP in XML?
Perhaps youād like to explain (possibly in a different thread to this one) why thatād be a good idea, what the acceptance is like (what other services support it), what libraries are available for people who want to use those services, and whoās offering to create the code for OSM and support it. Otherwise weāre all a bit like the customer who just wants to buy a gramophoneā¦
2 Likes
GNAP is a replacement for OAuth: GNAP - Grant Negotiation and Authorization Protocol
Weād implement it in XML instead of JSON, to fit it in with the rest of the ecosystem.
OpenStreetMap was an early adopter of REST, before the term even existed. It should adopt GNAP similarly.
Well, for one thing I donāt think doing it in XML is a good idea at all (unless the specification ends up using that), for many reasons (first and foremost because then we couldnāt use any third-party libraries).
Secondly, security is not something one wants to be an early adopter of, we want something thatās battle-tested. REST actually pre-dates OSM (2000 vs. 2004), though the term wasnāt popularized until later.
It might very well be that OSM adopts GNAP in the future, even replacing OAuth, but that will be at least some time after the full GNAP-specification has been published. If you want to speed this up you could publish a PoC of the server components and at least one editor with GNAP support.
But this discussion is completely irrelevant to this thread, so as SomeoneElse proposed you should start a new thread if this is something you care about.
2 Likes
And OSM didnāt use REST at first, it used SOAP.
2 Likes