[2016-02-04 14:19] Paul Norman <[email protected]> > On 2/4/2016 1:47 PM, markus schnalke wrote: > > Instead of transmitting the username and password, the oauth token > > and secret are transmitted. How is that different, besides the > > ability of restricting the permitted actions? > > No, the token and secret are used to sign the request. Someone who MITMs > your connection can read the traffic, drop it, but not pretend to be you > to the API server or modify it. I've done this in testing of a local API > proxy. There are some attack vectors with oauth + HTTP that remain open, > but not ones which involve pretending to be the user or stealing > credentials.
Thanks for the explanation. > > If you'd take the time, I'd be glad to learn the advantages of > > oauth over http basic auth, especially because for a command line > > application it appears to be mainly inconvenient (needs a web > > browser to be available (which actually is an issue for me), plus > > switching to it and back) and only better by the ability to limit > > the permitted actions. > > The advantage is that it avoids the editor knowing the user's password, > or storing the password. Well, this is a big thing for web apps, because you have to trust them blindly, whereas local code, which is Free Software, can be examined. With a program, consisting of 1500 lines in a scripting language, this is even practically possible (and non-programmers would not want to use that editor I'm working on, anyway.). But I don't want to be nitpicky with this ... What convinces me more is that OAuth is a permission delegation that can be revoked. Zverik's OAuth proxy at http://auth.osmz.ru/ seems to provide some useful information for my understanding: OpenStreetMap Authentication Proxy You are Meillo (log out) and you have never used a token. With this service you will be able to identify yourself in OpenStreetMap-related software that is not able to use OAuth. All you have to do is pass a token to an application, and it would know your login name and OSM identifier. There are two types of tokens. A master token can be used repeatedly. For example, a JOSM plugin can store it in preferences to identify itself to an external service every time you restart the editor. [...] Am I getting this right: I could ask the user to generate one such master token and pass that to the editor program, just like if he would store his password there? The only inconvenience would then be, to generate one such master token. That appears to be acceptable. Okay, but what's the motivation for Zverik's proxy? Isn't the OSM website able to generate such tokens itself? Or let me ask differently: How do I generate a master token for allow_write_api (without having a callback possibility)? I had a look at that page: https://www.openstreetmap.org/user/username/oauth_clients/new What would I enter there for a command line program? Further help is appreciated. (I already have HTTP Basic Auth working, but I would switch to OAuth if I can use that in a way that does not clash with the command line world. The delegation concept is definitely appealing.) meillo _______________________________________________ dev mailing list [email protected] https://lists.openstreetmap.org/listinfo/dev
