OAuth 1.0a and HTTP Basic Auth shutdown

The Operations Working Group is shutting down OAuth 1.0a and HTTP Basic Auth in 2024. They have been deprecated since 2023 and their role in authorization has replaced by OAuth 2.0 which the standard authorization method for most systems. This change will have three key dates:

  • March 1st, 2024: New OAuth 1.0a application registrations are disabled. Existing applications will not be impacted. HTTP Basic Auth will not be impacted.
  • May 1st, 2024: Sysadmins will start brownouts to find applications that are still using OAuth 1.0a or HTTP Basic Auth
  • June 1st, 2024: OAuth 1.0a and HTTP Basic Auth will be shut down.

This change is necessary because of the complexity of maintaining so many authorization implementations including ones that rely on unmaintained components and because of security concerns.

What does this mean to me, as a non-technical person?

Most mappers will notice no change. This will not change how you log in to your OSM account or how you use the website. iD and JOSM have supported OAuth 2.0 for some time as the default. If you use your OSM account to log on to a third-party site like the HOT Tasking Manager, MapRoulette, or HDYC you will not be affected as those sites have already moved to OAuth 2.0. Read-only API access does not require authorization at all.

I’m a developer, what do I need to change?

If you are a developer, you might need to make some changes, but OAuth 2 is an industry standard and well-supported.

If your application only makes read calls to the API authorization is optional. It can still be a good idea for rate-limiting reasons to add authorization to your requests, but it is not required. If your application is a website using OSM for logins, OAuth 2.0 is much easier as it is much better supported because so many other sites use it. It also avoids problems like users ending up with many tokens in their list on the website.

If you are developing software that edits using the API and is run locally you may need to make code changes. All common languages have libraries that deal with OAuth 2 and libraries are the preferred choice for any authorization. If you decide not to use a library, there are multiple options you can choose. Zverik wrote a library for command-line tools that can handle authorization, or if you want to do it completely yourself it can be done in about a dozen lines of shell script.

You should be able to find lots of examples of OAuth 2 client implementations in your language by searching online. If you want technical details on the change there is a ticket on github. Please take any technical concerns there.

15 posts - 9 participants

Read full topic


Ce sujet de discussion accompagne la publication sur https://community.openstreetmap.org/t/oauth-1-0a-and-http-basic-auth-shutdown/108490