OpenStreetMap
TL;DR I wrote a little extension for Firefox for script developers to get an OAuth token in a couple clicks
OSM will soon remove support for Basic Auth and OAuth 1.0.
The proposal is to use OAuth 2.0, which has a much worse UX for novice developers than Basic Auth.
To show that OAuth 2.0 can be made more convenient even than Basic Auth I made a Firefox extension to automatically get an OAuth token:
A bit of technical details and emotion:
-
Works with any Redirect URI
-
We have a confidential OAuth applications. In order to use them, you need a user account. I.e. such applications are useless because you can’t do anything with only client_id and client_secret.
-
It follows that the client_secret parameter is useless. The extension, by the way, does not use it ¯\(ツ)/¯
-
Did you know that you can specify multiple Redirect URIs? Guess what delimiter to use in the input field? And then how do you do authorization?
-
Did you know about the magic urn:ietf:wg:oauth:2.0:oob ?
-
And about the fact that without HTTPS you can only use 127.0.0.1?
There is somewhere on the wiki at the end of the page after the description of OAuth 1.0 and 2.0 about it…..
You couldn’t google it? You are a bad programmer! </sarcasm>
토론
2024년 1월 30일 11:46에 mmd님의 의견
It’s kind of funny that you’ve went the extra mile and blurred the OAuth token on the webpage, then pasting it in plain text and clearly visible in your terminal window. I hope you’ve revoked that token in the meantime ;)
2024년 1월 30일 13:16에 TrickyFoxy님의 의견
Blurring is a few lines of css, so it was easy :)
2024년 1월 30일 20:06에 gileri님의 의견
Nice work and writeup, thank you !
2024년 1월 30일 20:11에 TrickyFoxy님의 의견
Things get a lot more interesting. If you open the browser console on osm.org (It is important that the map is visible), you will see an OAuth token in the ‘head’ tag with access to edit the map and notes. You don’t even need an extension ̄\(ツ)/ ̄
2024년 1월 30일 20:49에 mmd님의 의견
FWIW: The “OpenStreetMap Web Site” OAuth2 application is also officially documented here: https://github.com/openstreetmap/openstreetmap-website/blob/master/CONFIGURE.md#oauth-consumer-keys -> To allow Notes and changeset discussions to work, follow a similar process, this time registering an OAuth 2 application for the web site […] Check boxes for the following Permissions ‘Modify the map’ and ‘Modify notes’.
2024년 1월 30일 21:07에 TrickyFoxy님의 의견
A rather non-trivial arrangement of documentation about this :)
But even more interesting is that this token is the same in all your sessions. As if there is no problem in this, but the solution is suspicious.
2024년 1월 31일 18:49에 mmd님의 의견
Yes, that’s just a normal OAuth2 Bearer Token, which doesn’t expire, like all other OAuth 2 tokens at the moment. The actual generation happens here: https://github.com/openstreetmap/openstreetmap-website/blob/master/app/models/user.rb#L379-L387
Doorkeeper…find_or_create_for is the relevant bit here to trigger the generation on the backend for a given application/user/list of scopes (assuming the token hasn’t been created yet, otherwise the existing token is retrieved).