Context Navigation

OAuthAuthorisationWizard

Timestamp:: 2017-11-15T11:42:09+01:00 (8 years ago)
Author:: ak099
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Ru:Help/Dialog/OAuthAuthorisationWizard

-              v3
+              v4
 [[TranslatedPages(revision=20)]]
+[[TranslatedPages(revision=33,outdated=Перевод пока не завершён)]]
 = Мастер авторизации OAuth =
 [[TOC(inline)]]
+[[PageOutline(2-10,Содержание)]]
 == OAuth in a nutshell ==
 [http://oauth.net/ OAuth] is an open protocol to allow secure API authorization  in a simple and standard method from desktop and web applications.
+== Что такое OAuth ==
+[http://oauth.net/ OAuth] — это открытый протокол, обеспечивающий API для безопасной авторизации простым и стандартным методом как с персонального компьютера, так и из веб-приложений.
 === Standard use case - keep your OSM password private ===
 The standard use case in OSM for OAuth is to keep your OSM password more private than with Basic Authentication.
+=== Стандартный случай использования — безопасное хранение вашего пароля OSM ===
+Стандартное использование OAuth в OSM — для хранения вашего пароля к OSM более защищённым, чем при обычной аутентификации.
 OAuth has two major advantages over Basic Authentication:
 . Your OSM password doesn't have to be saved in clear text in the JOSM preferences file.
 . Your OSM password has to be transferred '''only once''' over the Internet, in contrast to basic authentication where your OSM password is trasferred as part of every request sent from JOSM to the OSM server.
+OAuth имеет два больших преимущества по сравнению с обычной аутентификацией:
+. Пароль к OSM не хранится в виде открытого текста в файле настроек JOSM.
+. Ваш пароль передаётся через Интернет '''только один раз''' через '''защищённое соединение''', в то время, как при обычной аутентификации пароль передаётся открытым текстом как часть каждого запроса из JOSM к серверу OSM.
+{{{
+#!html
+<p style="background-color:rgb(253,255,221);padding: 10pt; border-color:rgb(128,128,128);border-style: solid; border-width: 1px;">
+<strong>Warning!</strong><br/>
+Currently, the OSM server doesn't offer a secure communication channel. Even if you use OAuth your password is therefore transferred <strong>once in clear text</strong> over the Internet. <strong>Do not use a valuable password</strong> until the OSM server provides a secure communication channel (HTTPS).
+</p>
+}}}
+В терминологии OAuth, пользователь JOSM авторизует (санкционирует) JOSM получать доступ к серверу OSM в интересах пользователя. Во время процесса авторизации пароль OSM не нужно вводить в диалоговом окне JOSM, если пользователь не полностью доверяет JOSM (разве что из соображений удобства [wiki:/Ru:Help/Dialog/OAuthAuthorisationWizard#FullyAutomaticAuthorisation см. здесь]). Вместо этого, сервер OSM выпускает маркер доступа (токен), который JOSM будет предъявлять серверу OSM при отправке данных. Маркер доступа не раскрывает пароль пользователя и его можно отозвать в любое время.
+In OAuth terminology, a JOSM user authorises JOSM to access the OSM server on his behalf. During the authorisation process he never has to enter his OSM password into a JOSM dialog if he or she doesn't fully trust JOSM (unless he wants to for convenience reasons [wiki:/Help/Dialog/OAuthAuthorisationWizard#FullyAutomaticAuthorisation see here]). Rather, the OSM server issues an Access Token which JOSM presents to the OSM server when it uploads data on behalf of the user. Access Tokens don't reveal the users password and they can be revoked at any time.
+=== Более сложный случай использования — делегирование доступа другим картографам ===
+Более сложное использование OAuth — для делегирования доступа к вашей учетной записи в OSM другим пользователям. OAuth позволяет при необходимости предоставлять другому пользователю ограниченный доступ к вашему аккаунту.
+=== Advanced use case - delegate access to other mappers ===
+A more advanced use case for OAuth is to delegate access to your OSM account to other mappers. OAuth allows you to grant another user restricted access to your account if necessary.
+Example: Mapper A can grant mapper B the right to download its private GPS traces from the OSM website. Mapper A would generate an OAuth Access Token and restrict to the privilege "Download my private GPS traces". He would then send an email with the Access Token to mapper B. B can enter the Access Token in JOSM and he is now allowed to download A's private GPS traces from the OSM server. He wouldn't be allowed to upload date on A's behalf, though, and he doesn't know A's OSM password. At any time, A can revoke the Access Token issued for B.
+Пример: картограф A может доверить картографу Б право скачивать его приватные GPS-треки с веб-сайта OSM. Картограф A генерирует маркер доступа OAuth и ограничивает его права до  "Разрешить загружать свои GPS-треки". Затем он отправляет по электронной почте свой маркер картографу Б. Тот вводит маркер доступа в JOSM и после этого получает право скачивать приватные треки картографа A с сервера OSM. Но он не может отправлять данные от имени A и не знает его пароль к OSM. В любое время A может отозвать (аннулировать) маркер доступа, выпущенный для Б.
+== The OAuth Authorisation Wizard ==
+== Мастер авторизации OAuth ==
+Мастер авторизации Oauth расположен в секции [Preferences/Connection Параметры соединения] настроек JOSM.
 === What does authentication/authorization mean? ===
 When you upload geodata to the OSM server you have to tell the server who you are. The OSM server asks every uploading mapper to '''identify''' himself with an OSM username. The OSM server furthermore needs to '''authenticate''' this identity, i.e. to reliably determine whether the mapper is indeed who he or she claims to be. For this purpose, it asks for a password in addition to the username. The servers assumption is, that whoever knows the secret password for username xyz is reliably authenticated to ''be'' xyz. A mapper logging in with his username and password is entitled to run a broad range of operations on the server. He or she is '''authorised''' to upload data, to create changesets, to close changesets, to upload GPS traces, to read and changes personal preferences on the server, to invite others as friends, to send emails to other accounts, etc. Currently, it isn't possible to create an OSM account with an OSM username and a password with restricted rights, i.e. an account which would only be able to upload GPS traces, but not map data. Whoever has successfully '''authenticated''' with an OSM username and an OSM password is '''fully authorised''' to do everything an OSM user can do on the server.
+=== Что означает аутентификация/авторизация? ===
+Когда вы отправляете геоданные на сервер OSM, вы сообщаете серверу, кто вы такой. Сервер OSM '''идентифицирует''' каждого присылающего данные картографа, запрашивая его имя пользователя OSM. Затем серверу OSM необходимо '''аутентифицировать''' его личность, т.е. надёжно определить — тот ли он, за кого себя выдаёт. Для этой цели он запрашивает пароль в дополнение к имени пользователя. Сервер подразумевает, что тот, кто знает секретный пароль для имени пользователя xyz — ''это и есть'' xyz. Картографу, вошедшему с аутентифицированным именем пользователя и паролем, предоставляются весьма широкий круг действий на сервере. Ему '''авторизовано''' право присылать данные, создавать пакеты правок, закрывать пакеты правок, присылать GPS-треки, читать и изменять персональные настройки на сервере, приглашать других людей в качестве друзей, отправлять почтовые сообщения другим учётным записям, и т.п. В настоящее время невозможно создать учётную запись OSM с именем пользователя и паролем, права которой были бы ограниченными, например, чтобы пользователь мог только загружать GPS-треки, но не отправлять данные. Тот, кто успешно '''аутентифицировался''', указав имя пользователя и пароль OSM, тот '''полностью авторизован''' выполнять любые доступные любому пользователю OSM действия на сервере.
 This is where OAuth comes into play: OAuth allows you to '''authorise''' somebody else to act in a restricted way on your behalf. Instead of giving away your OSM username and your OSM password, which would fully entitle the recipient to act on your behalf at the OSM server, you only give away a "ticket" on which the granted rights are listed. This ticket is called an '''Access Token'''. Restrictions applied to an Access Token include:
   * an Access Token is only valid for a specific client (called a Consumer in OAuth terminology), i.e. only for JOSM, but not for OpenStreetBugs
   * an Access Token is only valid for specific operations, i.e. only for uploading GPS traces, but not for uploading map data
   * an Access Token could only be valid for a certain time, i.e. only today, but this is not yet supported by the OSM server
+Именно здесь вступает в игру OAuth: OAuth позволяет вам '''авторизовать''' кого-то ещё для выполнения ограниченного круга действий в ваших интересах. Вместо разглашения вашего имени пользователя и пароля OSM, которые бы позволили выполнять их получателю любые действия на сервер OSM, вы просто выдаёте ему «билет», на котором перечислены предоставляемые права. Этот «билет» и называется '''маркером доступа'''. К маркеру доступа применимы следующие ограничения:
+  * маркер действителен лишь для определённого клиента (в терминологии OAuth — потребителя (consumer)), т.е. только для JOSM, а не для OpenStreetBugs
+  * маркер действителен лишь для определённых операций, например, только для отправки GPS-треков, но не для отправки картографических данных
+  * маркер действует лишь в течение определённого периода времени, например, только сегодня (но это пока не поддерживается сервером OSM)
 In addition to username/password pairs, the OSM server also accepts OAuth Access Tokens to authenticate and authorise a user. More specifically, it accepts requests ''signed with such a token'', but this is beyond of the scope of this online help.
 The OAuth Authorisation Wizard supports you to receive a valid OAuth Access Token, provided that you have an OSM username and an OSM password, or to enter and use an OAuth Access Token in JOSM, provided that you got one from somebody else who has an OSM username and an OSM password.
+The OAuth Authorisation Wizard allows you to receive a valid OAuth Access Token, provided that you have an OSM username and OSM password, or to enter and use an OAuth Access Token in JOSM, provided that you got one from somebody else who has an OSM username and an OSM password.
 === Fully automatic authorization process ===
+=== Fully automatic authorisation process ===#FullyAutomaticAuthorisation
 The easiest way to get an Access Token is to let JOSM fully automatically retrieve one from the OSM server.
 . '''Step 1/2'''  - Get the Access Token
+. '''Step 1/3'''  - Open the preferences dialog
+    Enter your OSM username and your OSM password and click on '''Authorise now'''.
+    Click on the '''Preferences''' button in the toolbar. In the dialog, select the [wiki:Help/Preferences/Connection Connection Setting] tab.
+. '''Step 2/3'''  - Get the Access Token
+ Enter your OSM username and your OSM password and click on '''Authorise now'''.
     [[Image(Help/Dialog/OAuthAuthorisationWizard:fully-authomatic-1.png)]]
+ [[Image(fully-authomatic-1.png)]]
 . '''Step 2/2''' - Accept the Access Token
+. '''Step 3/3''' - Accept the Access Token
     JOSM displays the retrieved Access Token. Click on '''Accept Access Token''' to accept it.
+ JOSM displays the retrieved Access Token.
+    [[Image(Help/Dialog/OAuthAuthorisationWizard:fully-authomatic-2.png)]]
+ [[Image(fully-authomatic-2.png)]]
+* Deselect the checkbox Save to preferences if you don't want to save the Access Token in the JOSM preferences. If you don't save it the Access Token will be lost when you close JOSM. If you later startup JOSM again you will have to retrieve a new Access Token to work with OAuth based authentication again.
+* Click on ''Test Access Token" to test the token
+* Click on '''Accept Access Token''' to accept it.
 ==== Restricting the granted privileges ====
 When JOSM fully-automatically requests and authorises an Access Token, it grants it five privileges:
   * the right to upload data to the OSM server
   * the right to upload GPS traces to the OSM server
   * the right to download private GPS traces from the OSM server
   * the right to read the preferences stored on the OSM server
   * the right to write preferences stored on the OSM server
+* the right to upload data to the OSM server
+* the right to upload GPS traces to the OSM server
+* the right to download private GPS traces from the OSM server
+* the right to read the preferences stored on the OSM server
+* the right to write preferences stored on the OSM server
+These are the default settings. If you want to restrict the granted privileges
+These are the default settings. If you want to restrict the granted privileges:
 . Click the tab '''Granted rights'''
 . Deselect each privilege which should not be granted to the requested Access Token
+. Click the tab '''Granted rights'''
+. Deselect each privilege which should not be granted to the requested Access Token
     [[Image(Help/Dialog/OAuthAuthorisationWizard:fully-authomatic-privileges.png)]]
+[[Image(fully-authomatic-privileges.png)]]
 ==== Advanced OAuth parameters ==== #FullyAutomaticAdvanced
+When JOSM fully-automatically requests and authorises an Access Token, it uses default values for the OAuth parameters. Advanced users may want to change these parameters
  * in order to use a different Consumer Token (consisting of a Consumer Key and a Consumer Secret). This allows you to create your own Consumer Token for JOSM and then use it in JOSM.
  * in order to use it on a different than the standard OSM server. For instance, this allows users to use OAuth with a OSM development server or with a local installation of the OSM server application.
+When JOSM fully-automatically requests and authorises an [https://oauth.net/core/1.0/#anchor3 Access Token], it uses default values for the OAuth parameters. Advanced users may want to change these parameters
+* in order to use a different Consumer Token (consisting of a Consumer Key and a Consumer Secret). This allows you to create your own Consumer Token for JOSM and then use it in JOSM.
+* in order to use it on a different than the standard OSM server. For instance, this allows users to use OAuth with an OSM development server or with a local installation of the OSM server application.
 In order to edit the Advanced OAuth parameters
 . Click the tab '''Advanced OAuth parameters'''
 . Deselect the checkbox '''Use default settings'''
 . Enter your values for the five OAuth parameters
+. Click the tab '''Advanced OAuth parameters'''
+. Deselect the checkbox '''Use default settings'''
+. Enter your values for the five OAuth parameters
       [[Image(Help/Dialog/OAuthAuthorisationWizard:fully-automatic-advanced.png)]]
+[[Image(fully-automatic-advanced.png)]]
 === Semi-automatic authorization process ===
 You can also retrieve an Access Token semi-automatically. If you use this process you have to use both dialogs in JOSM and the OSM website launched in an external browser to create and authorise the Access Token. In contrast to the fully automatic process you never have to enter your OSM username or your OSM password into a JOSM dialog. This process is therefore suitable for user which - for whatever reason - never want to use their OSM password outside of the OSM website. Note however, that the semi-automatic process is '''not''' significantely more secure  than the fully automatic process. Your OSM password will be transferred in cleartext over the Internet, too, because the OSM website currently doesn't provide a login page protected by HTTPS. The fully automatic process runs exactly the same steps you run manually in the semi-automatic process, just without your intervention.
+=== Semi-automatic authorisation process ===#Semi-automaticauthorisationprocess
+You can also retrieve an Access Token semi-automatically. If you use this process you have to use both dialogs in JOSM and the OSM website launched in an external browser to create and authorise the Access Token. In contrast to the fully automatic process you never have to enter your OSM username or your OSM password into a JOSM dialog. This process is therefore suitable for a user which - for whatever reason - never wants to use their OSM password outside of the secure login page of the OSM website. The fully automatic process runs exactly the same steps that would run manually in the semi-automatic process, just without your intervention.
 . '''Step 1/3'''  - Get the Request Token
+. '''Step 1/3''' - Get the Request Token
    Click on '''Retrieve Request Token''' to retrieve an OAuth Request Token.
+ Click on '''Retrieve Request Token''' to retrieve an OAuth Request Token.
     [[Image(Help/Dialog/OAuthAuthorisationWizard:semi-automatic-step-1.png)]]
+ [[Image(semi-automatic-step-1.png)]]
 . '''Step 2/3''' - Authorise the Request Token in an external browser
+. '''Step 2/3''' - Authorise the Request Token in an external browser
     JOSM now launches an external browser with the OSM website. Please login and follow the instructions. Then switch back to the OAuth Authorisation Wizard and click on '''Retrieve Access Token'''.
+ JOSM now launches an external browser with the OSM website. Please login and follow the instructions. Then switch back to the OAuth Authorisation Wizard and click on '''Retrieve Access Token'''.
     [[Image(Help/Dialog/OAuthAuthorisationWizard:semi-automatic-step-2.png)]]
+ [[Image(semi-automatic-step-2.png)]]
 . '''Step 3/3''' - Accept the Access Token
+. '''Step 3/3''' - Accept the Access Token
     JOSM displays the retrieved Access Token. Click on '''Accept Access Token''' to accept it.
+ JOSM displays the retrieved Access Token. Click on '''Accept Access Token''' to accept it.
     [[Image(Help/Dialog/OAuthAuthorisationWizard:semi-automatic-step-3.png)]]
+ [[Image(semi-automatic-step-3.png)]]
+==== Advanced OAuth parameters ====
+==== Advanced OAuth parameters ==== #AdvancedOAuthparameters
 When JOSM semi-automatically requests and authorises an Access Token, it uses default values for the OAuth parameters. Advanced users may want to change these parameters
  * in order to use a different Consumer Token (consisting of a Consumer Key and a Consumer Secret). This allows you to create your own Consumer Token for JOSM and then use it in JOSM.
  * in order to use it on a different than the standard OSM server. For instance, this allows users to use OAuth with a OSM development server or with a local installation of the OSM server application.
+* in order to use a different Consumer Token (consisting of a Consumer Key and a Consumer Secret). This allows you to create your own Consumer Token for JOSM and then use it in JOSM.
+* in order to use it on a different than the standard OSM server. For instance, this allows users to use OAuth with an OSM development server or with a local installation of the OSM server application.
 In order to edit the Advanced OAuth parameters
 . Select the checkbox '''Display Advanced OAuth Parameters'''
 . Enter your values for the five OAuth parameters
+. Select the checkbox '''Display Advanced OAuth Parameters'''
+. Enter your values for the five OAuth parameters
   [[Image(Help/Dialog/OAuthAuthorisationWizard:semi-automatic-advanced.png)]]
+[[Image(semi-automatic-advanced.png)]]
 === Manual authorization process ===
+=== Manual authorisation process ===
 The manual authorisation process allows you to enter an arbitrary Access Token. You can use this process
   * to enter an Access Token you have kept in a secure place, for instance in a secure store for credentials
   * to enter an Access Token you have received from somebody else, for instance from another mapper who granted you restricted access to his OSM account
+* to enter an Access Token you have kept in a secure place, for instance in a secure store for credentials
+* to enter an Access Token you have received from somebody else, for instance from another mapper who granted you restricted account access
 . '''Step 1/1'''  - Enter the Access Token and accept it
+. '''Step 1/1'''  - Enter the Access Token and accept it
    Enter the Access Token and click on '''Accept Access Token'''.
+ Enter the Access Token and click on '''Accept Access Token'''.
   [[Image(Help/Dialog/OAuthAuthorisationWizard:manual.png)]]
+ [[Image(manual.png)]]
 ==== Advanced OAuth parameters ====
  * See [wiki:/Help/Dialog/OAuthAuthorisationWizard#FullyAutomaticAdvanced advanced preferences in the fully automatic process].
+* See [wiki:/Help/Dialog/OAuthAuthorisationWizard#FullyAutomaticAdvanced advanced preferences in the fully automatic process].
+== Troubleshooting ==
+* If you are working on a university or corporate network, a firewall may prevent the OAuth authentification request.[[BR]]
+ Please check the corresponding connection with your network engineer.
+----
+Back to [wiki:/Help/Preferences/Connection Connection settings][[Br]]
+Back to [wiki:Help Main Help]