Login fails

[SomeoneElse2]

What steps will reproduce the problem?

1. Download latest JOSM Tested
2. Edit / preferences / OSM Server / New Access Token
3. Enter username and password (both copied from password manager, and separately validated in incognito browser window)
4. Click Authorise now

What is the expected result?

Logging in

What happens instead?

Oauth authorisation failed

​https://www.openstreetmap.org/user/SomeoneElse2/oauth_clients
shows a token under "Oauth 1 settings".

Please provide any additional information below. Attach a screenshot if possible.

​https://map.atownsend.org.uk/tmp/Screenshot%202024-02-14%20140600.png

Relative:URL: ^/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2024-02-05 12:56:34 +0100 (Mon, 05 Feb 2024)
Revision:18969
Build-Date:2024-02-06 02:30:58
URL:https://josm.openstreetmap.de/svn/trunk

Identification: JOSM/1.5 (18969 en_GB) Windows 10 64-Bit
OS Build number: Windows 10 Pro 2009 (19045)
Memory Usage: 600 MB / 3026 MB (117 MB allocated, but free)
Java version: 21.0.2+13-58, Oracle Corporation, OpenJDK 64-Bit Server VM
Look and Feel: com.sun.java.swing.plaf.windows.WindowsLookAndFeel
Screen: \Display0 1920×1080 (scaling 1.50×1.50) \Display1 1920×1080 (scaling 1.00×1.00)
Maximum Screen Size: 1920×1080
Best cursor sizes: 16×16→48×48, 32×32→48×48
System property file.encoding: UTF-8
System property sun.jnu.encoding: Cp1252
Locale info: en_GB
Numbers with default locale: 1234567890 -> 1234567890

Plugins:
+ continuosDownload (103)
+ reverter (36196)
+ undelete (36126)

Last errors/warnings:
- 00000.766 W: extended font config - overriding 'filename.Malgun_Gothic=malgun.ttf' with 'MALGUN.TTF'
- 00000.768 W: extended font config - overriding 'filename.Myanmar_Text=mmrtext.ttf' with 'MMRTEXT.TTF'
- 00000.770 W: extended font config - overriding 'filename.Mongolian_Baiti=monbaiti.ttf' with 'MONBAITI.TTF'
- 00002.873 W: Update plug-ins - You updated your JOSM software. To prevent problems the plug-ins should be updated as well.  Update plug-ins now?
- 00026.996 E: Failed to locate image 'http://www.geoportal.segeth.df.gov.br/static/dist/img/logo_geoportal.png'
- 00060.709 E: org.openstreetmap.josm.gui.oauth.OsmOAuthAuthorizationException: oauth.signpost.exception.OAuthCommunicationException: Communication with the service provider failed: stream is closed. Cause: oauth.signpost.exception.OAuthCommunicationException: Communication with the service provider failed: stream is closed. Cause: java.io.IOException: stream is closed
- 00060.724 E: OAuth authorisation failed - <html>The automatic process for retrieving an OAuth Access Token<br>from the OSM server failed.<br><br>Please try again or choose another kind of authorisation process,<br>i.e. semi-automatic or manual authorisation.</html>
- 00119.838 E: Failed to locate image 'http://www.geoportal.segeth.df.gov.br/static/dist/img/logo_geoportal.png'

[taylor.smock]

Closed as duplicate of #22810.
I'm intending to remove OAuth 1.0 from JOSM this month.

See ​https://github.com/openstreetmap/operations/issues/867#issuecomment-1911954055 (OSM is removing Basic Auth and OAuth 1.0a as authentication options in June).

This issue will be "fixed" by the removal of OAuth 1.0a from JOSM.

[SomeoneElse2]

Thanks. I was a bit surprised that "New Access Token" defaulted to other than Oauth 2.0:
​https://map.atownsend.org.uk/tmp/Screenshot_20240214_214913.png
(a bit surprised that there was even a choice, to be honest).

[taylor.smock]

I was a bit surprised that "New Access Token" defaulted to other than Oauth 2.0:

We supported OAuth 1.0a and OAuth 2.0 at the same time; what New Access Token did depends upon which authentication method you have selected.

[taylor.smock]

In 18991/josm:

Fix #22810: OSM OAuth 1.0a/Basic auth deprecation and removal

As of 2024-02-15, something changed in the OSM server configuration. This broke
our OAuth 1.0a implementation (see #23475). As such, we are removing OAuth 1.0a
from JOSM now instead of when the OSM server removes support in June 2024.

For third-party OpenStreetMap servers, the Basic Authentication method has been
kept. However, they should be made aware that it may be removed if a non-trivial
bug occurs with it. We highly recommend that the third-party servers update to
the current OpenStreetMap website implementation (if only for their own security).

Failing that, the third-party server can implement RFC8414. As of this commit,
we currently use the authorization_endpoint and token_endpoint fields.
To check and see if their third-party server implements RFC8414, they can go
to <server host>/.well-known/oauth-authorization-server.

Prominent third-party OpenStreetMap servers may give us a client id for their
specific server. That client id may be added to the hard-coded client id list
at maintainer discretion. At a minimum, the server must be publicly
available and have a significant user base.

[SomeoneElse2]

As such, we are removing OAuth 1.0a

from JOSM now instead of when the OSM server removes support in June 2024.

Thanks, that makes sense (from a "person who edits OSM" perspective); I can't really comment on the "other API implementations" thing.

[taylor.smock]

OpenHistoricalMap and OpenGeoFiction both have forks of OpenStreetMap's Ruby-on-Rails port.

Both of which are significantly out-of-date, but still support OAuth 2. Just not RFC 8414 which allows for automatic endpoint configuration.