Add OpenStreetMap OAuth2 backend

[das-g]

Proposed feature

Make it possible to authenticate using an OpenStreetMap account using OAuth 2.

Status quo

An OpenStreetMap backend exists in python-social-auth, but only for OAuth 1.0 and OAuth 1.0a, not yet for OAuth 2.

OpenStreetMap acts as a provider for OAuth 1.0a and OAuth 2.0 and recommends the latter for any new applications. Relevant parameters for OAuth 2.0 are documented on the OSM wiki, currently:

• Supported Grant types:

  • Authorization Code
  • Authorization Code with PKCE

• Add authorization data to Request Headers

• Production (this is the one we want):

  • Auth URL: https://www.openstreetmap.org/oauth2/authorize
  • Access Token URL: https://www.openstreetmap.org/oauth2/token

• Development (should maybe be a separate python-social-auth backend?):

  • Auth URL: https://master.apis.dev.openstreetmap.org/oauth2/authorize
  • Access Token URL: https://master.apis.dev.openstreetmap.org/oauth2/token

• Supported scopes:

  • read_prefs: read their user preferences
  • write_prefs: modify their user preferences
  • write_diary: create diary entries, comments and make friends
  • write_api: modify the map
  • read_gpx: read their private GPS traces
  • write_gpx: upload GPS traces
  • write_notes: modify notes

Any other comments?

(none)

[davidbgk]

ℹ️ Future deprecation of HTTP Basic Auth and OAuth 1.0a

[mmd-osm]

Adding link to upstream OSM operations issue for better visibility: openstreetmap/operations#867

OSM's OAuth 1.0a is in the process of being deprecated, as discussed at openstreetmap/operations#867. No timeline has been set, but we do not expect to shut off OAuth 1.0a this year. It would be good to move to OAuth 2.0 well before this time.

[kresp0]

Now we have a timeline for the OAuth 1.0a shut down: the 1st of June, with brownouts starting on May 1st.

[mmd-osm]

I've started to create a new OAuth2 config for OpenStreetMap: https://github.com/mmd-osm/social-core/tree/feat/osmoauth2

Will create a Pull request once someone could give it a try and report back if it works. Thanks!

[mmd-osm]

Test run:

Run demo:

1. Clone https://github.com/mmd-osm/social-core/tree/feat/osmoauth2 , then sudo python setup.py install
2. Clone social-examples repo
3. Go through preparation steps below
4. make run-django

Preparation steps:

Register new app on osm.org

On osm.org: register new application https://www.openstreetmap.org/oauth2/applications

Permissions: Read user preferences (read_prefs)
Redirect URIs: http://127.0.0.1:8001/complete/openstreetmap-oauth2/
(of course, 127.0.0.1:8000 is just for the sake of running this demo)

Note down client id and client secret values, since they're needed for the next step.

Maintain local settings

Create new file example-django/example/local_setings.py:

import os
from dotenv import load_dotenv

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

load_dotenv(verbose=True, dotenv_path=os.path.join(BASE_DIR, '.env'))

ALLOWED_HOSTS = [ '0.0.0.0', '127.0.0.1' ]

AUTHENTICATION_BACKENDS = [
  'social_core.backends.openstreetmap_oauth2.OpenStreetMapOAuth2'
]

# w/o PKCE: requries key + secret (confidential application)
#SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY = '...'
#SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET = '...'

# w/ PKCE: only key needed
SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY = '...'

SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SCOPE = [ 'read_prefs' ]
# Note: explicitly setting the scope to read_prefs is no longer needed, since it's included in the DEFAULT_SCOPE now.

[mmd-osm]

By the way, OpenStreetMap also supports OIDC since last year, so that would also work.

[kshitijrajsharma]

@mmd-osm will it be possible to share code snippet or github url for the project you used as sample in gif attached on above comment ?

[mmd-osm]

@kshitijrajsharma : yes, sure, you can find it over at: https://github.com/python-social-auth/social-examples

[kshitijrajsharma]

@mmd-osm so login url will be /login/openstreetmap/ , for oauth2 too ?
or /login/openstreetmap_oauth2/ ?

[mmd-osm]

Since the name of the backend has changed to openstreetmap-oauth2, the /login/ URL is probably matching the new name. TBH, I haven't entered that URL anywhere, just starting the demo on http://127.0.0.1:8001 and then hitting the different log on buttons.

[mmd-osm]

By the way, one thing to keep in mind for testing, social-auth release 4.5.2 doesn't include the new openstreetmap-oauth2 backend yet. You would need to use the master branch in this repo. I hope we will see a new 4.5.3 release in the upcoming weeks.

[kshitijrajsharma]

@mmd-osm Yes , I am building it from master right now ! I am trying to test the new change, I will let you know how it goes !

[kshitijrajsharma]

@mmd-osm it works well ! Thanks for this And yes the login url will be /login/openstreetmap_oauth2/ as backend is changed so applications using their own login implementation (mostly they will ) they need to listen to /login/openstreetmap_oauth2/ instead of login/openstreetmap/

[yohanboniface]

Tested in uMap and seems all good to me! Thanks @mmd-osm for your work :)

@nijel any chance to get a release including this new backend ? If I can help in any way, please ask :)

[nijel]

@yohanboniface If you can prepare pull request for the release, it would make it easier. It is documented at https://github.com/python-social-auth/social-core/wiki/Release-process

[yohanboniface]

Cool! Here you go #885 :)