Modify

Opened 7 years ago

Closed 7 years ago

Last modified 4 years ago

#13872 closed enhancement (fixed)

Optionally allow OAuth signing of all API requests

Reported by: zerebubuth@… Owned by: team
Priority: normal Milestone: 16.10
Component: Core Version:
Keywords: oauth bandwidth limit Cc:

Description

One frequent complaint when large mapping parties are held behind NAT firewalls is that API requests begin to fail with "509 Bandwith Limit Exceeded" messages. This is due to the OSM API rate-limiting on the basis of the user's IP address, which may be shared with many other users.

A method was recently committed and deployed to the API which means that OAuth signed requests will count towards a per-user rate limit rather than a per-IP one. This should mostly solve the problem that users behind NAT firewalls have experienced. While it is not necessary to use OAuth to sign read-only requests, such as map API calls, doing so will cause the user to be judged on their own traffic alone.

iD has added support recently, for full details please see: https://github.com/openstreetmap/iD/pull/3519

For background about the problem, please see: https://github.com/openstreetmap/operations/issues/36

Attachments (0)

Change History (8)

comment:1 by anonymous, 7 years ago

While it is not necessary to use OAuth to sign read-only requests, such as map API calls, doing so will cause the user to be judged on their own traffic alone.

Trying to explain this better. What I meant was:

  • The API behaviour is not changing with respect to requiring authentication. It will not be required to use OAuth on any API calls.
  • However, using authentication on API calls will allow the server to know the user's ID and calculate the rate limit for the user. Otherwise it will calculate the rate limit for the user's IP address.

comment:2 by wiktorn, 7 years ago

Maybe such a patch is sufficient:

  • src/org/openstreetmap/josm/io/OsmServerReader.java

     
    2828 */
    2929public abstract class OsmServerReader extends OsmConnection {
    3030    private final OsmApi api = OsmApi.getOsmApi();
    31     private boolean doAuthenticate;
     31    private boolean doAuthenticate = OsmApi.isUsingOAuth();
    3232    protected boolean gpxParsedProperly;
    3333
    3434    /**
Last edited 7 years ago by wiktorn (previous) (diff)

comment:3 by Don-vip, 7 years ago

Keywords: bandwidth limit added
Milestone: 16.10

comment:4 by Don-vip, 7 years ago

Resolution: fixed
Status: newclosed

In 11193/josm:

fix #13872 - OAuth signing of all API requests to support user-based bandwith limit instead of IP-based one (based on patch by wiktorn)

comment:5 by bastiK, 7 years ago

Resolution: fixed
Status: closedreopened

Use new preference directory and download data -> The OAuth dialog will pop up and request username and password.

It should just download the data and only authenticate the request when OAuth is already configured.

comment:6 by Don-vip, 7 years ago

Resolution: fixed
Status: reopenedclosed

In 11194/josm:

fix #13872 - use authentication only if OAuth is configured properly

comment:7 by zerebubuth@…, 7 years ago

Thanks! That was very quick.

I've just tested this and it seems to be having the intended effect server-side; map downloads were assigned to my user ID rather than my IP address.

comment:8 by simon04, 4 years ago

In 16422/josm:

fix #18820, see #13872 - Make OAuth signing of all API requests configurable

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.