Prepare for HTTP Basic Auth deprecation

[matkoniecz]

https://www.openstreetmap.org/user/pnorman/diary/401157

The Operations Working Group is looking at what it take to deprecate HTTP Basic Auth and OAuth 1.0a in favour of OAuth 2.0 on the main API in order to improve security and reduce code maintenance.

it seems that it is not happening soon but...

#113 (comment)

the library uses basic auth by default, but by allowing to pass a http session, it should be possible to enable OAuth. If I have a little spare time, I'll trs to come up with some example code. Then we can adapt the library if needed.

[metaodi]

Here is an example for Google OAuth2 using requests-oauthlib: https://requests-oauthlib.readthedocs.io/en/latest/examples/google.html

So it's possible to create a session object with OAuth (e.g. from requests_oauthlib import OAuth2Session) and then pass this session to osmapi. I'll create an example to see how it works. And then some documentation about how to create your own OAuth application on openstreetmap.org. This should all be straightforward.

[metaodi]

@matkoniecz I finally got the time to create an example using OAuth 2.0 (see PR #149).

[metaodi]

There is now an example here: https://github.com/metaodi/osmapi/blob/develop/examples/oauth2.py

[matkoniecz]

There is now an example here: https://github.com/metaodi/osmapi/blob/develop/examples/oauth2.py

Do I need to do this on every script run?

And if user can save oauth2client parameters (to build it), auth_code and redirect_uri and recreate connection without manual interaction - maybe mention it in some comment?

[metaodi]

@matkoniecz I should test that. But in theory the token should be valid for some time.

[matkoniecz]

some? So I will need to keep going through this dance manually? Arghhh.

Though for some reason they really want to deprecate it per openstreetmap/operations#867

[matkoniecz]

openstreetmap/operations#867 (comment) mentions something that may or may not be applicable

[metaodi]

I did a quick test, and currently the tokens do not have an expiry date, so it seems you can use a token forever unless a user revokes it (e.g. here https://master.apis.dev.openstreetmap.org/oauth2/authorized_applications).

So you have to do this dance once, save the token and then reuse it instead of username/password.

[metaodi]

Here is a gist of the script I use: https://gist.github.com/metaodi/df380794ba00df5e73423682231e9ba2

[metaodi]

Since I added a new (more realistic) example script incl. saving and re-using a token, I consider this issue as resolved.