oauth token lifetime

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

oauth token lifetime

Jiri Vlasak
Dear devs,

I would like to ask about the lifetime of OAuth token. I use OSM OAuth to log
into my web application. However, there is new token each time I log into the
web page.

This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
feel this approach is not right.

So I thought that time limit for the token would solve this problem. But maybe
I am complete wrong and didn't get the OAuth system?

Thanks!
jiri

[1]: https://tasks.hotosm.org/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: oauth token lifetime

Tom Hughes-3
On 26/04/2019 19:06, Jiri Vlasak wrote:

> I would like to ask about the lifetime of OAuth token. I use OSM OAuth to log
> into my web application. However, there is new token each time I log into the
> web page.

I don't believe there is any expiry - once you have an access token
you can use it for as long as you want.

> This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
> settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
> feel this approach is not right.

That's usually because the client is broken and is not storing the
token but is instead requesting a new one every time you use it.

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: oauth token lifetime

Jiri Vlasak
On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote:
> On 26/04/2019 19:06, Jiri Vlasak wrote:
> > This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
> > settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
> > feel this approach is not right.
>
> That's usually because the client is broken and is not storing the
> token but is instead requesting a new one every time you use it.

That's my guess too. So, I would like to write it better. My problem is that I
am quite confused by OAuth.

If I understand it correctly, OAuth is here for authorization. But, in my case
(and in the case of HOT Tasking Manager), the use case is authentication.

So maybe I should ask - is it possible to authenticate to osm.org?

Thanks a lot,
jiri

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: oauth token lifetime

Tom Hughes-3
On 27/04/2019 14:37, Jiri Vlasak wrote:

> On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote:
>> On 26/04/2019 19:06, Jiri Vlasak wrote:
>>> This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
>>> settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
>>> feel this approach is not right.
>>
>> That's usually because the client is broken and is not storing the
>> token but is instead requesting a new one every time you use it.
>
> That's my guess too. So, I would like to write it better. My problem is that I
> am quite confused by OAuth.
>
> If I understand it correctly, OAuth is here for authorization. But, in my case
> (and in the case of HOT Tasking Manager), the use case is authentication.

Yes it is really abuse of OAuth in general but is common.

Note that OAuth 2 (in the form of OpenID Connect) has basically
merged the two use cases anyway.

> So maybe I should ask - is it possible to authenticate to osm.org?

Well yes, that is what OAuth does.

What is happening here is using your osm.org account to
authenticate to a third party site.

That works if the third party is prepared to accept you
allowing it to access osm.org as valid authentication.

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: oauth token lifetime

Jiri Vlasak
On Sat, Apr 27, 2019 at 02:40:13PM +0100, Tom Hughes wrote:

> On 27/04/2019 14:37, Jiri Vlasak wrote:
> > On Fri, Apr 26, 2019 at 07:28:39PM +0100, Tom Hughes wrote:
> > > On 26/04/2019 19:06, Jiri Vlasak wrote:
> > > > This approach is similar to one used by HOT Tasking Manager [1]. In my "oauth
> > > > settings" section I have many many "Tasking Manager 3 - Prod" tokens. And I
> > > > feel this approach is not right.
> > >
> > > That's usually because the client is broken and is not storing the
> > > token but is instead requesting a new one every time you use it.
> >
> > That's my guess too. So, I would like to write it better. My problem is that I
> > am quite confused by OAuth.
> >
> > If I understand it correctly, OAuth is here for authorization. But, in my case
> > (and in the case of HOT Tasking Manager), the use case is authentication.
>
> Yes it is really abuse of OAuth in general but is common.
>
> Note that OAuth 2 (in the form of OpenID Connect) has basically
> merged the two use cases anyway.
>
> > So maybe I should ask - is it possible to authenticate to osm.org?
>
> Well yes, that is what OAuth does.

Ofcourse. I am sorry, still learning the OAuth thing.

> What is happening here is using your osm.org account to
> authenticate to a third party site.

That should be my question.

> That works if the third party is prepared to accept you
> allowing it to access osm.org as valid authentication.

Anyway, I did a little bit more research in OAuth and I think that I resolved
the most issues I needed. Thanks, Tom, for pointing me out!

Have a nice day,
jiri

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev