Get user e-mail permission in OAuth login

[HarelM]

Hi,

I'm using OSM accounts to manage users in my site to facilitate for editing etc.
I'm using OAuth and allow users to login to OSM.
I would like to be able to send mails to my users but the current user details API doesn't show the user e-mail so as far as I know there's no way for me to get it.
Am I missing something or is this a missing feature?
Site is here - login in on the upper right corner.

[tomhughes]

You're not missing anything, though you are abusing OAuth. You're hardly alone in that though.

No way do we want to get into the data protection issues involved in allowing third party access to email addresses though - if you want to know somebody's email address then ask them for it.

[HarelM]

Can you elaborate why I'm abusing OAuth?
I'm currently able to get permissions forum the user to edit, see traces etc, how is asking for his email any different? I'm taking about the outh permissions dialog.

I don't want to ask for his user name and password since it violates the concept of OAuth and I don't want to create a secondary users managent system just for emails...

[tomhughes]

I may have misunderstood - on re-reading it's not totally clear exactly what you are doing.

To be clear the intention is that that OAuth is used to grant users on your site permission to do things on OpenStreetMap - in other words it is a way of linking accounts. What it is not intended for is to replace accounts on your site completely - for you to use OAuth as a way of people logging into your site.

That's not our decision - it's what the OAuth protocol was designed for. The intention was that OpenID would be used for authenticating a local user against a remote site. That said OAuth was often abused in that way including by many OpenStreetMap users, and OAuth 2 does basically give in and merged both roles into one protocol (OpenID Connect is OAuth 2 based) but we don't currently support OAuth 2 at all.

I still stick by my primary point, that the risks (both legal and reputational) are just too great - it would be very easy for somebody that wasn't paying attention to unintentionally reveal their email and then they would come complaining to us.

[HarelM]

Often users do not want to register on every site that their using, but let's put this aside.
Assuming I create a registration page on my site I would like to be able to reduce the need from my user who just placed his user name and password on OSM to rewrite their e-mail address in my registration form.
In other words, I can't have an easy registration form due to this limitation.
Other OAuth providers usually allow this option - it is up to the user to decide if he would like to give me his e-mail whether it's by the permissions or by writing it down.
I don't understand this legal and reputation stuff, this is a very weak argument, IMHO.

[simonpoole]

@HarelM there is a longish discussion on the matter here #1431 Note that discussion was pre-GDPR,, post-GDPR I would consider it even less likely that we could or would give out user e-mail addresses, and even less likely that you would actually want access to them, given the legal obligations arising out of that.

But as you can see from the discussion some way of allowing apps to message the user is still on the table.

[HarelM]

@simonpoole thanks for the info, +1 for allowing apps to send messages.