zerebubuth/openstreetmap-cgimap

Remove support for OAuth 1.0a and Basic Auth

mmd-osm opened this issue · 12 comments

Now that JOSM also has some support for OAuth 2, it’s time to consider removing OAuth 1.0a in the next CGImap release.

Target timeframe: Q4/23 or Q1/24.

Are there plans to remove it for the entire site? Lots of things still use 1.0a

Uhhhh...

JOSM is not the only one tool in OSM ecosystem to use OAuth. There are hundreds of apps, websites, desktop software that also needs to authenticate. And before we know that at least a half of these switched to OAuth 2, we should not turn 1.0a off. Please.

Whilst I agree that this needs to be carefully planned I don't think a metric like that is going to work.

We could certainly count how many OAuth 1 clients are being used but that tells us very little - is a client that is being used simply defunct or has it switched to OAuth 2? What about clients like JOSM that support both and not all users have switched so both are in use? Without a way of linking OAuth 1 and 2 client IDs we can't begin to know when a client has switched.

On top of which there is going to be a very long tail so 50% of clients will be a miniscule proportion of actual use.

There are some people using linux distro editors like
https://packages.debian.org/bullseye/josm

My point is, why disable 1.0 at all?

I think the plan has always been to get rid of OAuth 1.0a at one point (cf. openstreetmap/openstreetmap-website#3177 (comment)), in particular now that we have OAuth 2 since almost two years as an alternative.

For CGImap it’s definitely reducing technical debt, both in terms of code as well as external dependencies. This is a very important concern for long term maintainability of the code. I’m sure there are similar reasons on Rails.

If this were merged before OAuth 1.0a is turned off by admins, this would require directing calls currently handled by cgimap to the rails port based on the type of authentication used, which seems like a bad idea.

Like today, admins can decide when to deploy a new cgimap version to production. So merging would only impact the dev instance (which could be avoided by setting up a new dedicated cgimap instance based on a test branch).

Although this is at least 6-12 months away, some planning and coordination of efforts for sure needs to happen. This issue only covers the CGImap bit.

Adding a link to the official OWG announcemnt: https://www.openstreetmap.org/user/pnorman/diary/401157

We discussed it on the last OWG call. We are preparing and measuring, we have not yet made an official depreciation notice with a timeline. Just "at risk" for now. ;-)

That's fine for now. I started looking into some more details, and it turned out that around 2500 LOC that mostly only Matt knows could be removed.

First iteration: https://github.com/mmd-osm/openstreetmap-cgimap/tree/patch/removeoauth1

Since OWG proposes to deprecate Basic Auth as well, I have included this change in this issue.