On 2/4/2016 1:47 PM, markus schnalke wrote:
Instead of transmitting the username and password, the oauth token and secret are transmitted. How is that different, besides the ability of restricting the permitted actions?
No, the token and secret are used to sign the request. Someone who MITMs your connection can read the traffic, drop it, but not pretend to be you to the API server or modify it. I've done this in testing of a local API proxy. There are some attack vectors with oauth + HTTP that remain open, but not ones which involve pretending to be the user or stealing credentials.
(And shouldn't that oauth secret be transmitted via httpS as well, because it's a secret? Hence coming back to my original remark.)
The redaction bot was written before HTTPS was fully available, and I believe it also talked over a local network connection to the API server. I should change it to HTTPS at some point.
If you'd take the time, I'd be glad to learn the advantages of oauth over http basic auth, especially because for a command line application it appears to be mainly inconvenient (needs a web browser to be available (which actually is an issue for me), plus switching to it and back) and only better by the ability to limit the permitted actions.
The advantage is that it avoids the editor knowing the user's password, or storing the password.
Personally, I'd like to see HTTP basic auth removed as an authentication option in the future. All apps *should* be using OAuth.
_______________________________________________ dev mailing list [email protected] https://lists.openstreetmap.org/listinfo/dev
