openstreetmap / openstreetmap-website

The Rails application that powers OpenStreetMap
https://www.openstreetmap.org/
GNU General Public License v2.0
2.2k stars 911 forks source link

"Remember me" can lock a user into OAuth flow #3103

Open systemed opened 3 years ago

systemed commented 3 years ago

P3 uses a popup OAuth window for users to authenticate with OSM.

If the user clicks "Remember me" on osm.org when first authenticating, then that login becomes a long-living cookie (which AIR stores in the system cookie store, i.e. as used by IE or Safari).

If the user subsequently clicks "Log out" from P3's Connection prefs, then P3 deletes the OAuth user token/secret and won't use them to authenticate next time.

However, when the user next tries to save and the popup OAuth window opens, the "Remember me" cookie is still there. So osm.org goes straight to the "Authorize access to your account" page and says "The application Potlatch 3 is requesting access to your account, Richard." Which is a problem if what you actually wanted to do is log in with another account.

Couple of possible solutions:

tomhughes commented 3 years ago

There is no "OAuth login page" as far as I know, there is just the normal login page, and not being asked to login if you're already logged in is entirely normal and expected.

All that "remember me" does is to extend the life time of the cookie - even without that you might still be considered logged in on a future visit.

You really shouldn't be deleting the OAuth token anyway - the whole point is to cache those client side otherwise you wind up with piles of duplicate authorisations on the OSM end.

mmd-osm commented 4 months ago

Is this still relevant now that P3 has moved to OAuth 2? (Sorry, can’t try this out atm)