Move to OAuth 2.0 for OpenStreetMap login

[dmpr0]

Description

The Operations Working Group is looking at what it take to deprecate HTTP Basic Auth and OAuth 1.0a in favour of OAuth 2.0 on the main API in order to improve security and reduce code maintenance.

Some of the libraries that the software powering the API relies on for OAuth 1.0a are unmaintained, there is currently a need to maintain two parallel OAuth interfaces, and HTTP Basic Auth requires bad password management practices. OAuth 2.0 libraries should be available for every major language.

We do not yet have a timeline for this, but do not expect to shut off either this year. Before action is taken, we will send out more notifications. Deprecation may be incremental, e.g., we may shut off creation of new applications as an earlier step.

https://www.openstreetmap.org/user/pnorman/diary/401157

ToDo

iOS version is already use OAuth 2.0

• Use OAuth 2.0 for OSM login

[danieldegroot2]

See openstreetmap/operations#867

[mnalis]

Note critical days: openstreetmap/operations#867 (comment)

Repeating the announcement,
The Operations Working Group is shutting down OAuth 1.0a and HTTP Basic Auth in 2024. They have been deprecated since 2023 and their role in authorization has replaced by OAuth 2.0 which the standard authorization method for most systems. This change will have three key dates:

• March 1st, 2024: New OAuth 1.0a application registrations are disabled. Existing applications will not be impacted. HTTP Basic Auth will not be impacted.
• May 1st, 2024: Sysadmins will start brownouts to find applications that are still using OAuth 1.0a or HTTP Basic Auth
• June 1st, 2024: OAuth 1.0a and HTTP Basic Auth will be shut down.