Prepare for HTTP Basic Auth deprecation

metaodi / osmapi

Python wrapper for the OpenStreetMap API

http://osmapi.metaodi.ch/

GNU General Public License v3.0

211 stars 41 forks source link

Prepare for HTTP Basic Auth deprecation #144

Closed matkoniecz closed 5 months ago

matkoniecz commented 1 year ago

https://www.openstreetmap.org/user/pnorman/diary/401157

The Operations Working Group is looking at what it take to deprecate HTTP Basic Auth and OAuth 1.0a in favour of OAuth 2.0 on the main API in order to improve security and reduce code maintenance.

it seems that it is not happening soon but...

https://github.com/metaodi/osmapi/pull/113#issuecomment-1475259563

the library uses basic auth by default, but by allowing to pass a http session, it should be possible to enable OAuth. If I have a little spare time, I'll trs to come up with some example code. Then we can adapt the library if needed.

metaodi commented 1 year ago

Here is an example for Google OAuth2 using requests-oauthlib: https://requests-oauthlib.readthedocs.io/en/latest/examples/google.html

So it's possible to create a session object with OAuth (e.g. from requests_oauthlib import OAuth2Session) and then pass this session to osmapi. I'll create an example to see how it works. And then some documentation about how to create your own OAuth application on openstreetmap.org. This should all be straightforward.

metaodi commented 1 year ago

@matkoniecz I finally got the time to create an example using OAuth 2.0 (see PR #149).

metaodi commented 1 year ago

There is now an example here: https://github.com/metaodi/osmapi/blob/develop/examples/oauth2.py

matkoniecz commented 8 months ago

There is now an example here: https://github.com/metaodi/osmapi/blob/develop/examples/oauth2.py

Do I need to do this on every script run?

And if user can save oauth2client parameters (to build it), auth_code and redirect_uri and recreate connection without manual interaction - maybe mention it in some comment?

metaodi commented 8 months ago

@matkoniecz I should test that. But in theory the token should be valid for some time.

matkoniecz commented 8 months ago

some? So I will need to keep going through this dance manually? Arghhh.

Though for some reason they really want to deprecate it per https://github.com/openstreetmap/operations/issues/867

matkoniecz commented 8 months ago

https://github.com/openstreetmap/operations/issues/867#issuecomment-1888486859 mentions something that may or may not be applicable

metaodi commented 8 months ago

I did a quick test, and currently the tokens do not have an expiry date, so it seems you can use a token forever unless a user revokes it (e.g. here https://master.apis.dev.openstreetmap.org/oauth2/authorized_applications).

So you have to do this dance once, save the token and then reuse it instead of username/password.

metaodi commented 8 months ago

Here is a gist of the script I use: https://gist.github.com/metaodi/df380794ba00df5e73423682231e9ba2

metaodi commented 5 months ago

Since I added a new (more realistic) example script incl. saving and re-using a token, I consider this issue as resolved.