| 33 | | === What does authorization mean? === |
| | 33 | === What does authentication/authorization mean? === |
| | 34 | When you upload geodata to the OSM server you have to tell the server who you are. The OSM server asks every uploading mapper to '''identify''' himself with an OSM username. The OSM server furthermore needs to '''authenticate''' this identity, i.e. to reliably determine whether the mapper is indeed who he or she claims to be. For this purpose, it asks for a password in addition to the username. The servers assumption is, that whoever knows the secret password for username xyz is reliably authenticated to ''be'' xyz. A mapper logging in with his username and password is entitled to run a broad range of operations on the server. He or she is '''authorised''' to upload data, to create changesets, to close changesets, to upload GPS traces, to read and changes personal preferences on the server, to invite others as friends, to send emails to other accounts, etc. Currently, it isn't possible to create an OSM account with an OSM username and a password with restricted rights, i.e. an account which would only be able to upload GPS traces, but not map data. Whoever has successfully '''authenticated''' with an OSM username and an OSM password is '''fully authorised''' to do everything an OSM user can do on the server. |
| | 35 | |
| | 36 | This is where OAuth comes into play: OAuth allows you to '''authorise''' somebody else to act in a restricted way on your behalf. Instead of giving away your OSM username and your OSM password, which would fully entitle the recipient to act on your behalf at the OSM server, you only give away a "ticket" on which the granted rights are listed. This ticket is called an '''Access Token'''. Restrictions applied to an Access Token include: |
| | 37 | * an Access Token is only valid for a specific client (called a Consumer in OAuth terminology), i.e. only for JOSM, but not for OpenStreetBugs |
| | 38 | * an Access Token is only valid for specific operations, i.e. only for uploading GPS traces, but not for uploading map data |
| | 39 | * an Access Token could only be valid for a certain time, i.e. only today, but this is not yet supported by the OSM server |
| | 40 | |
| | 41 | In addition to username/password pairs, the OSM server also accepts OAuth Access Tokens to authenticate and authorise a user. More specifically, it accepts requests ''signed with such a token'', but this is beyond of the scope of this online help. |
| | 42 | |
| | 43 | The OAuth Authorisation Wizard supports you to receive a valid OAuth Access Token, provided that you have an OSM username and an OSM password, or to enter and use an OAuth Access Token in JOSM, provided that you got one from somebody else who has an OSM username and an OSM password. |
