On Mon, May 9, 2011 at 11:56 AM, Kai Krueger <kakrue...@gmail.com> wrote: > > Serge Wroclawski-2 wrote: >> >> The first solution, using OAuth against what was a RESTful API, is bad. >> > > Whether OAuth fits the ideology of a RESTful API or not, it is already > heavily used in OpenStreetMap.
One of the strengths of OSM is its clear, simple API. It's actually one the best APIs I've seen in the wild. You're proposing to break the API and the design methodology that the API is built on. > OAuth is the preferred method of authenticating JOSM against the API, it is > the only(?) way that Potlatch 2 can authenticate, various other editors and > POI collectors currently use OAuth and it is the recommended way to talk to > the API. If I remember correctly at some point even the idea of disabling > password based authentication was briefly maintained to prevent the password > being sent in cleartext all the time. Let's not forget that we're discussing OpenID, not OAuth, but secondly, everything related to authentication has security implications. The one you mentioned is easily fixed with SSL. OpenID itself has an issue a few days ago: http://openid.net/2011/05/05/attribute-exchange-security-alert > So given that OAuth is already heavily used, I don't see an issue with > relying on it for the purpose of OpenID. I don't have a problem with, and even like OAuth, except when it comes to the API. I don't like the idea of OAuth being required for a RESTful API. - Serge _______________________________________________ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk