Re: [openstreetmap/openstreetmap-website] Add OAuth Refresh token when `openid` scope is used (PR #5497)

[David Karlaš via rails-dev]

I'm not, but my feeling is, sending `id_token` rather than `access_token` is a 
bit better since if Panoramax instance is compromised nothing is lost since 
`id_token` is used only for Authentication, not Authorization like 
`access_token`.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5497#issuecomment-2607162185
You are receiving this because you are subscribed to this thread.

Message ID: 
___
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

Re: [openstreetmap/openstreetmap-website] Add OAuth Refresh token when `openid` scope is used (PR #5497)

[David Karlaš via rails-dev]

Closed #5497.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5497#event-15996923025
You are receiving this because you are subscribed to this thread.

Message ID: 
___
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

Re: [openstreetmap/openstreetmap-website] Add OAuth Refresh token when `openid` scope is used (PR #5497)

[David Karlaš via rails-dev]

I did some more investigation into this, and I agree using `id_token` as way to 
login into 3rd party service is not very standardized way of doing things, here 
is rare example of that being done: 
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

While investigating 3rd option of exchanging `id_token` for `access_token` on 
3rd party service seems most common way of doing things, which can be done 
today without adding `refresh_token`, only downside will be that Mobile app 
needs to acquire `access_token` as soon as user logs in and not later when 
actually needed.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5497#issuecomment-2602084402
You are receiving this because you are subscribed to this thread.

Message ID: 
___
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

[openstreetmap/openstreetmap-website] Add OAuth Refresh token when `openid` scope is used (PR #5497)

[David Karlaš via rails-dev]

### Description
OSM `access_token` don't have expiry but `id_token` which is generated when 
`openid` scope is enabled has expiry of 2 minutes. Making `id_token` to also 
never expiry seems to me more problematic than no expiry for `access_token` 
because `id_token` can not be revoked, hence it is important to have short 
expiry. But with short expiry it makes `id_token` not very useful and it would 
complicate authentication against 3rd party services. Instead I think it is 
better to enable refresh token on OSM when `openid` scope is enabled for app 
which allows apps to refresh `id_token` by calling `/oauth/token` using refresh 
token. This way app can refresh `id_token` at any time and send it to 3rd party 
service which can authenticate user.

### How has this been tested?
Added unit tests, and manually on my machine, also verified that calling 
`/oauth/token` with refresh token works and produces fresh `id_token`.

### More details
My main goal on how to use this is following. Mobile app such as EveryDoor, 
StreetComplete... Can add `openid` to their OAuth Application scopes. That will 
result in getting `id_token` property in JSON of osm.org/oauth/token that can 
be passed to Panoramax as `Authorization Bearer 
jwt_token_that_osm.org/oauth/token_returned_in_id_token_field` when uploading 
photos. This will allow Panoramax API to use 
[https://www.openstreetmap.org/oauth2/discovery/keys](https://www.openstreetmap.org/oauth2/discovery/keys)
 which has public key stored that can be used to verify the `id_token` and 
authenticate user. So from user perspective no additional logins or anything 
else needs to be done against Panoramax service. Another nice thing about 
sending OpenConnect ID token is that even if Panoramax service is compromised, 
this token is only useful to confirm this user did action, it does not give 
Panoramax any authorization to do anything against osm.org API.
With this PR, mobile app will be able to fetch fresh `id_token` at any time and 
send it to Panoramax service which can authenticate user as long as whole 
operation takes less than 2 minutes which should be plenty.

You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/5497

-- Commit Summary --

  * Add OAuth Refresh token when `openid` scope is used

-- File Changes --

M config/initializers/doorkeeper.rb (4)
M test/integration/oauth2_test.rb (6)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/5497.patch
https://github.com/openstreetmap/openstreetmap-website/pull/5497.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5497
You are receiving this because you are subscribed to this thread.

Message ID: 
___
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev

Re: [openstreetmap/openstreetmap-website] Add 'Load more' button that loads newer changesets to history pages (PR #5812)

[David Karlaš via rails-dev]

DavidKarlas left a comment (openstreetmap/openstreetmap-website#5812)

Should existing button be renamed to "Load older" and new button to "Load 
newer"? Just idea...

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5812#issuecomment-2735280265
You are receiving this because you are subscribed to this thread.

Message ID: 
___
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev