OsmAnd requesting unneeded Oauth2 permission "Redact map data"?

[mnalis]

Description

When logging in via OsmAnd recently, it requests OAuth2 permissions. One of those permissions is moderators-only Redact map data which should not be needed (none of the other OSM editing apps ever needed that AFAIK):

(This might be result of moving from obsoleted OAuth1 to Oauth2)

Steps to reproduce

• enable "OpenStreetMap editing" plugin
• on its settings log in the first time using Sign in with OpenStreetMap
• enter username and password on openstreetmap.org webpage that opens
• see the list of permissions required

Actual result

While most permissions are normal and used by other OSM editing apps too, there is one named Redact map data with blue star. Hovering over that blue star in https://www.openstreetmap.org/oauth2/authorized_applications says This permission is for actions available only for moderators

Expected result

I would not expect Redact map data to be requested. Other permission that is also requested Modify the map is enough for actually editing the map (adding/deleting/changing POIs etc).

Your Environment (required)

WARNING Crash-Logs MAY contain information you deem sensitive. Review this CAREFULLY before posting your issue!

OsmAnd Version: OsmAnd~ 4.7.10 (latest F-droid)
Android/iOS version: Android 14
Device model: Samsung Galaxy S23+
Crash-Logs: no

[DmitryAlexei]

OsmAnd~ 4.8.0#2286m, released: 2024-05-13

• unlike other apps OsmAnd asks for permission to Redact map data (see screenshot)

[vshcherb]

Updated OAuth2 application

[RZR-UA]

https://wiki.openstreetmap.org/wiki/OAuth write_redactions is not listed in the Supported scopes: section

https://wiki.openstreetmap.org/wiki/API_v0.6 requires either write_redactions or writeapi OAuth scope; write_redactions is being phased out_

[RZR-UA]

https://github.com/osmandapp/OsmAnd/pull/19966 (draft until tested)

[RZR-UA]

Android OAuth scopes fixed. iOS was already OK.

[mnalis]

(@RZR-UA Note that it would be better to have Fixes #19841 text in Pull request than to manually close issues -- that way, the issue would be closed automatically when PR is merged. Manually closing issue before PR is merged may backfire)

[mnalis]

It would be good to make a release with this change very soon, because:

• it seems OSM admins have very recently disabled that scope, so attempting to login with newer OsmAnd which supports Oauth2 but request this write_redactions (like e.g. mine 4.7.17 from F-droid) no longer works (it worked few weeks back), and now fails with An error has occurred. The requested scope is invalid, unknown, or malformed.
• there are brownouts active for old Oauth1.0a (and full disabling of Oauth1.0 on June 1st 2024) which will force all users (who have not done it already) to logout and login again.

Combined result is that in about 3 days time basically no user would be able to upload changes with OsmAnd, as they won't be able to login again after logout.

[mnalis]

@vshcherb perhaps the Oauth2 breakage mentioned above is due to this (too early) change of OAuth2 application you made two days ago?

It is probably related to this issue too: https://github.com/osmandapp/OsmAnd/issues/19970#issuecomment-2136024622

[RZR-UA]

It seems that deprecated write_redactions scope was finally disallowed by OSM oauth2 servers:

We have merged the hotfix into master branch and now you can try login using OsmAnd nightly build.

It should be OK now:

PS. We will remove old basic-auth method (login+password) sligthly later because there is main oauth2-method available as first option.