### Description OSM `access_token` don't have expiry but `id_token` which is generated when `openid` scope is enabled has expiry of 2 minutes. Making `id_token` to also never expiry seems to me more problematic than no expiry for `access_token` because `id_token` can not be revoked, hence it is important to have short expiry. But with short expiry it makes `id_token` not very useful and it would complicate authentication against 3rd party services. Instead I think it is better to enable refresh token on OSM when `openid` scope is enabled for app which allows apps to refresh `id_token` by calling `/oauth/token` using refresh token. This way app can refresh `id_token` at any time and send it to 3rd party service which can authenticate user.
### How has this been tested? Added unit tests, and manually on my machine, also verified that calling `/oauth/token` with refresh token works and produces fresh `id_token`. ### More details My main goal on how to use this is following. Mobile app such as EveryDoor, StreetComplete... Can add `openid` to their OAuth Application scopes. That will result in getting `id_token` property in JSON of osm.org/oauth/token that can be passed to Panoramax as `Authorization Bearer jwt_token_that_osm.org/oauth/token_returned_in_id_token_field` when uploading photos. This will allow Panoramax API to use [https://www.openstreetmap.org/oauth2/discovery/keys](https://www.openstreetmap.org/oauth2/discovery/keys) which has public key stored that can be used to verify the `id_token` and authenticate user. So from user perspective no additional logins or anything else needs to be done against Panoramax service. Another nice thing about sending OpenConnect ID token is that even if Panoramax service is compromised, this token is only useful to confirm this user did action, it does not give Panoramax any authorization to do anything against osm.org API. With this PR, mobile app will be able to fetch fresh `id_token` at any time and send it to Panoramax service which can authenticate user as long as whole operation takes less than 2 minutes which should be plenty. You can view, comment on, or merge this pull request online at: https://github.com/openstreetmap/openstreetmap-website/pull/5497 -- Commit Summary -- * Add OAuth Refresh token when `openid` scope is used -- File Changes -- M config/initializers/doorkeeper.rb (4) M test/integration/oauth2_test.rb (6) -- Patch Links -- https://github.com/openstreetmap/openstreetmap-website/pull/5497.patch https://github.com/openstreetmap/openstreetmap-website/pull/5497.diff -- Reply to this email directly or view it on GitHub: https://github.com/openstreetmap/openstreetmap-website/pull/5497 You are receiving this because you are subscribed to this thread. Message ID: <openstreetmap/openstreetmap-website/pull/5...@github.com>
_______________________________________________ rails-dev mailing list rails-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/rails-dev
