OpenStreetMap
TL;DR I wrote a little extension for Firefox for script developers to get an OAuth token in a couple clicks
OSM will soon remove support for Basic Auth and OAuth 1.0.
The proposal is to use OAuth 2.0, which has a much worse UX for novice developers than Basic Auth.
To show that OAuth 2.0 can be made more convenient even than Basic Auth I made a Firefox extension to automatically get an OAuth token:
A bit of technical details and emotion:
-
Works with any Redirect URI
-
We have a confidential OAuth applications. In order to use them, you need a user account. I.e. such applications are useless because you can’t do anything with only client_id and client_secret.
-
It follows that the client_secret parameter is useless. The extension, by the way, does not use it ¯\(ツ)/¯
-
Did you know that you can specify multiple Redirect URIs? Guess what delimiter to use in the input field? And then how do you do authorization?
-
Did you know about the magic urn:ietf:wg:oauth:2.0:oob ?
-
And about the fact that without HTTPS you can only use 127.0.0.1?
There is somewhere on the wiki at the end of the page after the description of OAuth 1.0 and 2.0 about it…..
You couldn’t google it? You are a bad programmer! </sarcasm>
Discussion
Comment from mmd on 30 January 2024 at 11:46
It’s kind of funny that you’ve went the extra mile and blurred the OAuth token on the webpage, then pasting it in plain text and clearly visible in your terminal window. I hope you’ve revoked that token in the meantime ;)
Comment from TrickyFoxy on 30 January 2024 at 13:16
Blurring is a few lines of css, so it was easy :)
Comment from gileri on 30 January 2024 at 20:06
Nice work and writeup, thank you !
Comment from TrickyFoxy on 30 January 2024 at 20:11
Things get a lot more interesting. If you open the browser console on osm.org (It is important that the map is visible), you will see an OAuth token in the ‘head’ tag with access to edit the map and notes. You don’t even need an extension ̄\(ツ)/ ̄
Comment from mmd on 30 January 2024 at 20:49
FWIW: The “OpenStreetMap Web Site” OAuth2 application is also officially documented here: https://github.com/openstreetmap/openstreetmap-website/blob/master/CONFIGURE.md#oauth-consumer-keys -> To allow Notes and changeset discussions to work, follow a similar process, this time registering an OAuth 2 application for the web site […] Check boxes for the following Permissions ‘Modify the map’ and ‘Modify notes’.
Comment from TrickyFoxy on 30 January 2024 at 21:07
A rather non-trivial arrangement of documentation about this :)
But even more interesting is that this token is the same in all your sessions. As if there is no problem in this, but the solution is suspicious.
Comment from mmd on 31 January 2024 at 18:49
Yes, that’s just a normal OAuth2 Bearer Token, which doesn’t expire, like all other OAuth 2 tokens at the moment. The actual generation happens here: https://github.com/openstreetmap/openstreetmap-website/blob/master/app/models/user.rb#L379-L387
Doorkeeper…find_or_create_for is the relevant bit here to trigger the generation on the backend for a given application/user/list of scopes (assuming the token hasn’t been created yet, otherwise the existing token is retrieved).