Switch to OAuth 2

[danieldegroot2]

Switch to OAuth 2 from HTTP Basic Auth and OAuth 1.0a. They are being deprecated. See https://github.com/openstreetmap/operations/issues/867

Note, api.openstreetmap.org API url currently can not do OAuth 2 handshake. See https://github.com/openstreetmap/operations/issues/951#issuecomment-1748717154 You can split the www. base URL and api. API url. See https://github.com/osmlab/osm-auth/pull/123#issuecomment-1777330094

cc: @Zverik

[mnalis]

Given updated announcement https://github.com/openstreetmap/operations/issues/867#issuecomment-1911954055 saying turning off OAuth 1.0a will begin in about 2 weeks, brownouts will start at May 1st, 2024 and support will be completely shut down at June 1st, 2024; I wanted to ask @Zverik is the plan for Level0 to be updated by then?

I love using it, and would hate to see it stop working. Is help needed?

[Zverik]

Currently the main blocker is that the server Level0's on has PHP 5.5 which doesn't support OAuth2 out of the box. Upgrading the server is long overdue (OS is nine years obsolete), so the plan is that. But I want to do it closer to April, to have Ubuntu LTS 24 and not think of upgrading for another six years.

[sikmir]

Any news on this? Registration of OAuth 1 applications has been disabled already.

[mnalis]

Ubuntu 24.04 LTS Noble Numbat has just been released yesterday 25. Apr 2024., so that prerequisite at least should be met now.

[Zverik]

Yes, the next prerequisite would be me releasing Every Door 5.0 (hopefully next week), and then I can start moving everything to a new server and updating the libraries to switch to OAuth2.

[mnalis]

Reminder: Ouath 1.0a is scheduled to be shutdown next weekend (June 1st 2024), and https://level0.osmz.ru still seems to be using it. _{(said he, with just a barely detectable panic in his voice :smiling_face_with_tear: )}

---

Update: It is already failing for me (probably due to "May 1st, 2024: Sysadmins will start brownouts to find applications that are still using OAuth 1.0a or HTTP Basic Auth") with:

OAuth error 401 at stage "create": Couldn't authenticate you.

[LaoshuBaby]

I made edits using level0 20 minutes ago, but now I can no longer use it, and I cannot log in again after logging out.

I wanna to know if I got the last changeset made with level0

[Zverik]

Well I guess that's what they mean by brown-outs :)

I was distracted with releasing Every Door 5.1, but will try moving Level0 to a new server next weekend. Meaning it will be offline for a few days. Idk, we'll see.

[mueschel]

Please let us know if there is anything we can do to help with, e.g. testing the necessary changes!

[Zverik]

Code porting status: learned how Composer works and how it's deployed to production, almost rewrote OAuth logging in. The codebase for level0 is awful, I want to punch the developer who wrote this. Frankly the entire Level0 needs to be rewritten in JavaScript + local storage.

[mnalis]

Frankly the entire Level0 needs to be rewritten in JavaScript + local storage.

That might be interesting idea for an web app (even PWA), but (for me at least) one of the main advantages of Level0 is precisely because it does not require JS.

[Zverik]

Done.

[mueschel]

Thank you very much! The official instance seems to work well.

However, it seems composer doesn't install all dependencies. I needed to manually install php-dom, php-zip and php-sqlite3 The first two composer itself complained about, the last one showed up as an error in the server log.

[mtmail]

@mueschel Which operating system and PHP version are you using?

[Zverik]

@mueschel yeah, those are OS-level dependencies, not composer's. You can see the full list of packages I install in my ansible role. php-zip should not be required, although I don't know exactly.

[Zverik]

So. I have added platform dependencies to composer.json. php-zip is required by dev dependencies, so that's on composer. I use --no-dev for production obviously.