Hello everyone, It appears that the default method of JOSM to authenticate to the OSM API is still "Basic Auth". Although JOSM does allow for OAuth, the way the authentication dialog in the settings is structured, I would imagine from a usability perspecitve that a good many users of JOSM will still be using basic auth. Furthermore, the dialog that pops up if you try and upload without having entered any authentication before hand, only provides basic auth and no option for OAuth. Together presumably a good portion of (particularly novice) JOSM users will be still using Basic Auth. (Does anyone have numbers for how many JOSM users use OAuth and how many use Basic Auth?). As the OSM API currently doesn't support https, this means that likely for many (if not the majority) of JOSM users, the OSM password is still transmitted in clear over the wire on every use of JOSM.
This is far from ideal behaviour and a significant downside compared to iD or Potlatch that both use OAuth for authentication. Is it possible to change the default of JOSM to use OAuth and hide the option of using Basic Auth behind e.g. an "export" mode? Furthermore, given that there are a number of people who sign-up to OSM via OpenID and therefore might not even have an OSM password, it would be good if the "semi-automatic" OAuth procedure would be the default. The semi-automatic form uses the website to login and thus allows you to use "login with OpenID" as well as a password. At the moment the semi-automatic OAuth procedure isn't particularly user friendly, as it contains far too much technical detail and too many steps. However, I don't see a reason why this couldn't be simplified down by default to a single "Log-in" button that then automatically redirects to the OSM log-in page and handles all the rest of the OAuth process in the background without having to bother the user with any detail that they are using OAuth or anything else. Kai _______________________________________________ dev mailing list [email protected] https://lists.openstreetmap.org/listinfo/dev
