Using JOSM with Tor, OAuth is returning 403.
INFO: GET https://api.openstreetmap.org/.well-known/oauth-authorization-server → HTTP/1.1 403 (1.2 s)
I can see a that there is a CloudFlare challenge being thrown up:
INFO: GET https://api.openstreetmap.org/api/capabilities → HTTP/1.1 403 (2.0 s)
INFO: Forbidden
SEVERE: Error body: Just a moment…
(html stripped)
…
Visiting these URLs with my browser (GET requests and Tor) results in the expected JSON being returned. I imagine Tor was not meant to be blocked (given that these endpoints seem to work on my browser) but is nevertheless given higher scrutiny, thus a combination of TLS fingerprint, User Agent and other headers are compared to confirm only “real” combinations are used… on an endpoint that only ever sees automated traffic. I love the internet.