Remove support for OAuth 1.0a and Basic Auth

Question

Remove support for OAuth 1.0a and Basic Auth

Closed this issue 6 months ago · 12 comments

mmd-osm commented 2 years ago

Now that JOSM also has some support for OAuth 2, it’s time to consider removing OAuth 1.0a in the next CGImap release.

Target timeframe: Q4/23 or Q1/24.

Answer 1 · 2023-02-26T09:26:10.000Z

Are there plans to remove it for the entire site? Lots of things still use 1.0a

Answer 2 · 2023-02-26T10:46:31.000Z

Uhhhh...

JOSM is not the only one tool in OSM ecosystem to use OAuth. There are hundreds of apps, websites, desktop software that also needs to authenticate. And before we know that at least a half of these switched to OAuth 2, we should not turn 1.0a off. Please.

Answer 3 · 2023-02-26T10:53:18.000Z

Whilst I agree that this needs to be carefully planned I don't think a metric like that is going to work.

We could certainly count how many OAuth 1 clients are being used but that tells us very little - is a client that is being used simply defunct or has it switched to OAuth 2? What about clients like JOSM that support both and not all users have switched so both are in use? Without a way of linking OAuth 1 and 2 client IDs we can't begin to know when a client has switched.

On top of which there is going to be a very long tail so 50% of clients will be a miniscule proportion of actual use.

Answer 4 · 2023-02-26T11:00:31.000Z

There are some people using linux distro editors like
https://packages.debian.org/bullseye/josm

Answer 5 · 2023-02-26T11:44:41.000Z

My point is, why disable 1.0 at all?

Answer 6 · 2023-02-26T12:31:06.000Z

I think the plan has always been to get rid of OAuth 1.0a at one point (cf. openstreetmap/openstreetmap-website#3177 (comment)), in particular now that we have OAuth 2 since almost two years as an alternative.

For CGImap it’s definitely reducing technical debt, both in terms of code as well as external dependencies. This is a very important concern for long term maintainability of the code. I’m sure there are similar reasons on Rails.

Answer 7 · 2023-02-26T22:53:27.000Z

If this were merged before OAuth 1.0a is turned off by admins, this would require directing calls currently handled by cgimap to the rails port based on the type of authentication used, which seems like a bad idea.

Answer 8 · 2023-02-27T06:41:48.000Z

Like today, admins can decide when to deploy a new cgimap version to production. So merging would only impact the dev instance (which could be avoided by setting up a new dedicated cgimap instance based on a test branch).

Although this is at least 6-12 months away, some planning and coordination of efforts for sure needs to happen. This issue only covers the CGImap bit.

Answer 9 · 2023-03-19T09:55:05.000Z

Adding a link to the official OWG announcemnt: https://www.openstreetmap.org/user/pnorman/diary/401157

Thanks @pnorman for taking care of it.

Prometheus monitoring: https://prometheus.openstreetmap.org/d/5rTT87FMk/web-site?orgId=1&refresh=1m&viewPanel=26

Answer 10 · 2023-03-19T11:04:15.000Z

Adding a link to the official OWG announcemnt: https://www.openstreetmap.org/user/pnorman/diary/401157

We discussed it on the last OWG call. We are preparing and measuring, we have not yet made an official depreciation notice with a timeline. Just "at risk" for now. ;-)

Answer 11 · 2023-03-19T11:16:27.000Z

That's fine for now. I started looking into some more details, and it turned out that around 2500 LOC that mostly only Matt knows could be removed.

First iteration: https://github.com/mmd-osm/openstreetmap-cgimap/tree/patch/removeoauth1

Answer 12 · 2023-04-07T13:03:03.000Z

Since OWG proposes to deprecate Basic Auth as well, I have included this change in this issue.