New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get user e-mail permission in OAuth login #2011
Comments
You're not missing anything, though you are abusing OAuth. You're hardly alone in that though. No way do we want to get into the data protection issues involved in allowing third party access to email addresses though - if you want to know somebody's email address then ask them for it. |
Can you elaborate why I'm abusing OAuth? I don't want to ask for his user name and password since it violates the concept of OAuth and I don't want to create a secondary users managent system just for emails... |
I may have misunderstood - on re-reading it's not totally clear exactly what you are doing. To be clear the intention is that that OAuth is used to grant users on your site permission to do things on OpenStreetMap - in other words it is a way of linking accounts. What it is not intended for is to replace accounts on your site completely - for you to use OAuth as a way of people logging into your site. That's not our decision - it's what the OAuth protocol was designed for. The intention was that OpenID would be used for authenticating a local user against a remote site. That said OAuth was often abused in that way including by many OpenStreetMap users, and OAuth 2 does basically give in and merged both roles into one protocol (OpenID Connect is OAuth 2 based) but we don't currently support OAuth 2 at all. I still stick by my primary point, that the risks (both legal and reputational) are just too great - it would be very easy for somebody that wasn't paying attention to unintentionally reveal their email and then they would come complaining to us. |
Often users do not want to register on every site that their using, but let's put this aside. |
@HarelM there is a longish discussion on the matter here #1431 Note that discussion was pre-GDPR,, post-GDPR I would consider it even less likely that we could or would give out user e-mail addresses, and even less likely that you would actually want access to them, given the legal obligations arising out of that. But as you can see from the discussion some way of allowing apps to message the user is still on the table. |
@simonpoole thanks for the info, +1 for allowing apps to send messages. |
Hi,
I'm using OSM accounts to manage users in my site to facilitate for editing etc.
I'm using OAuth and allow users to login to OSM.
I would like to be able to send mails to my users but the current user details API doesn't show the user e-mail so as far as I know there's no way for me to get it.
Am I missing something or is this a missing feature?
Site is here - login in on the upper right corner.
The text was updated successfully, but these errors were encountered: