Modify

Opened 10 years ago

Closed 10 years ago

#4790 closed defect (fixed)

[patch] Fully automatic retrieval of OAuth token failed since OSM switched to HTTPS

Reported by: anonymous Owned by: Gubaer
Priority: critical Milestone:
Component: Core Version:
Keywords: patch Cc:

Description

The fully automatic retrieval of an OAuth access token failed with the error message org.openstreetmap.josm.gui.oauth.OsmOAuthAuthorizationException: OSM website did not return a session cookie in response to 'http://www.openstreetmap.org/login?cookie_test=true'

Although I don't know the josm code, I could imagine that the problem lies with the redirect to https on the login page.

Since a couple of weeks the OSM webpage supports and requires secure http for all operations involving the user password. The webserver thus responds with a 301 moved permanently redirect to the the https site and it appears as if the JOSM code does not correctly handle this.

JOSM should then also not warn about the unsecure password transmission when using OAuth

Tested with JOSM version 3151

Attachments (1)

use-https-login.patch (997 bytes) - added by avarab@… 10 years ago.
Implement a TODO in the source and use HTTPS login instead of HTTP

Download all attachments as: .zip

Change History (6)

comment:1 Changed 10 years ago by anonymous

This bug is very easy to fix by simply changing http to https in OsmOAuthAuthorization.buildOsmLoginUrl(). After that, automatic login to osm.org works again.

It would probably be better though, if josm could automatically deal with either protocol, as otherwise automatic retrieval of OAuth tokens against the dev servers wouldn't work, as those don't support https.

It would be very good if this could be fixed, as OAuth should really be the default way to authenticate against the api in order to protect users passwords, instead of sending them unencrypted over the network for every call.

Changed 10 years ago by avarab@…

Attachment: use-https-login.patch added

Implement a TODO in the source and use HTTPS login instead of HTTP

comment:2 Changed 10 years ago by avarab@…

Keywords: patch added
Priority: normalcritical
Summary: Fully automatic retrieval of OAuth token failedFully automatic retrieval of OAuth token failed since OSM switched to HTTPS

Bumping priority. The OAuth feature doesn't work *at all* due to this bug.

Since the OSM website always uses HTTPS now I've patched it to just use that.

comment:3 Changed 10 years ago by stoecker

Owner: changed from team to Gubaer
Summary: Fully automatic retrieval of OAuth token failed since OSM switched to HTTPS[patch] Fully automatic retrieval of OAuth token failed since OSM switched to HTTPS

@Gubaer:

Can you verify this. I never used OAuth myself. But the patch looks straighforward to me.

comment:4 Changed 10 years ago by stoecker

Probably we should me the "https" a hidden configurable option? This way can support the devservers as well.

comment:5 Changed 10 years ago by stoecker

Resolution: fixed
Status: newclosed

(In [3188]) close #4790 - OAuth uses HTTPS

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Gubaer.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.