[patch] Fully automatic retrieval of OAuth token failed since OSM switched to HTTPS

[anonymous]

The fully automatic retrieval of an OAuth access token failed with the error message org.openstreetmap.josm.gui.oauth.OsmOAuthAuthorizationException: OSM website did not return a session cookie in response to '​http://www.openstreetmap.org/login?cookie_test=true'

Although I don't know the josm code, I could imagine that the problem lies with the redirect to https on the login page.

Since a couple of weeks the OSM webpage supports and requires secure http for all operations involving the user password. The webserver thus responds with a 301 moved permanently redirect to the the https site and it appears as if the JOSM code does not correctly handle this.

JOSM should then also not warn about the unsecure password transmission when using OAuth

Tested with JOSM version 3151

[anonymous]

This bug is very easy to fix by simply changing http to https in OsmOAuthAuthorization.buildOsmLoginUrl(). After that, automatic login to osm.org works again.

It would probably be better though, if josm could automatically deal with either protocol, as otherwise automatic retrieval of OAuth tokens against the dev servers wouldn't work, as those don't support https.

It would be very good if this could be fixed, as OAuth should really be the default way to authenticate against the api in order to protect users passwords, instead of sending them unencrypted over the network for every call.

[avarab@…]

Implement a TODO in the source and use HTTPS login instead of HTTP

[avarab@…]

Bumping priority. The OAuth feature doesn't work *at all* due to this bug.

Since the OSM website always uses HTTPS now I've patched it to just use that.

[stoecker]

@Gubaer:

Can you verify this. I never used OAuth myself. But the patch looks straighforward to me.

[stoecker]

Probably we should me the "https" a hidden configurable option? This way can support the devservers as well.

[stoecker]

(In [3188]) close #4790 - OAuth uses HTTPS