osm.org as identity provider for dev instance

[mmd-osm]

Back in OpenHistoricalMap/issues#662, we've been discussing to use osm.org as identity provider for other sites, such as our dev instances. This should make it easier for our users to try out new features, such as https://microcosms.apis.dev.openstreetmap.org, without remembering a new user + password for the dev instance.

I'm documenting all required steps here. For discussion...

Add omniauth_openid_connect gem

Link: https://github.com/omniauth/omniauth_openid_connect

diff --git a/Gemfile b/Gemfile
index fcf2ceb4d..f3bc8eac9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -83,6 +83,7 @@ gem "omniauth-google-oauth2", ">= 0.6.0"
 gem "omniauth-mediawiki", ">= 0.0.4"
 gem "omniauth-microsoft_graph"
 gem "omniauth-openid"
+gem "omniauth_openid_connect"
 gem "omniauth-rails_csrf_protection", "~> 1.0"

Trust osm.org as confirmed email provider

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0830e51d4..8f5485591 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -197,7 +197,7 @@ class UsersController < ApplicationController
                      when "openid"
                        uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
                        uid.match(%r{https://me.yahoo.com/(.*)})
-                     when "google", "facebook", "microsoft", "github", "wikipedia"
+                     when "google", "facebook", "microsoft", "github", "wikipedia", "openstreetmap"
                        true
                      else
                        false

Add osm.org as new OIDC provider

• Scope is currently set to openid, maybe email would also be possible.
• Settings probably need some more fine tuning.
• Redirect URL should point to the respective site, such as microcosms

diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index bce82b3c9..89702e6ae 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -27,11 +27,26 @@ facebook_options = { :name => "facebook", :scope => "email", :client_options =>
 microsoft_options = { :name => "microsoft", :scope => "openid User.Read" }
 github_options = { :name => "github", :scope => "user:email" }
 wikipedia_options = { :name => "wikipedia", :client_options => { :site => "https://meta.wikimedia.org" } }
+osm_oidc_options = { :name => :openstreetmap,
+                     :scope => [:openid],
+                     :issuer => "https://www.openstreetmap.org",
+                     :discovery => true,
+                     :response_type => :code,
+                     :uid_field => "preferred_username",
+                     :client_options => {
+                       :port => 443,
+                       :scheme => "https",
+                       :host => "www.openstreetmap.org",
+                       :identifier => Settings.openstreetmap_auth_id,
+                       :secret => Settings.openstreetmap_auth_secret,
+                       :redirect_uri => "http://127.0.0.1:3000/auth/openstreetmap/callback"
+                     } }
 
 google_options[:openid_realm] = Settings.google_openid_realm if Settings.key?(:google_openid_realm)
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :openid, openid_options
+  provider :openid_connect, osm_oidc_options
   provider :google_oauth2, Settings.google_auth_id, Settings.google_auth_secret, google_options if Settings.key?(:google_auth_id)
   provider :facebook, Settings.facebook_auth_id, Settings.facebook_auth_secret, facebook_options if Settings.key?(:facebook_auth_id)
   provider :microsoft_graph, Settings.microsoft_auth_id, Settings.microsoft_auth_secret, microsoft_options if Settings.key?(:microsoft_auth_id)

Updated translations

diff --git a/config/locales/en.yml b/config/locales/en.yml
index ac41952c7..08d3a6942 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -223,6 +223,7 @@ en:
       microsoft: Microsoft
       github: GitHub
       wikipedia: Wikipedia
+      openstreetmap: OpenStreetMap
   api:
     notes:
       comment:
@@ -2612,6 +2613,9 @@ en:
       wikipedia:
         title: Log in with Wikipedia
         alt: Wikipedia logo
+      openstreetmap:
+        title: Log in with OpenStreetMap
+        alt: OpenStreetMap logo
   oauth:
     authorize:
       title: "Authorize access to your account"

Default settings.yml

diff --git a/config/settings.yml b/config/settings.yml
index 71df9ad3d..bd4665381 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -143,6 +143,8 @@ fossgis_valhalla_url: "https://valhalla1.openstreetmap.de/route"
 #microsoft_auth_secret: ""
 #wikipedia_auth_id: ""
 #wikipedia_auth_secret: ""
+#openstreetmap_auth_id: ""
+#openstreetmap_auth_secret: ""
 # Thunderforest authentication details
 #thunderforest_key: ""
 # Tracestrack authentication details

Provider list updated

diff --git a/lib/auth.rb b/lib/auth.rb
index 729772477..f89cdf38f 100644
--- a/lib/auth.rb
+++ b/lib/auth.rb
@@ -10,6 +10,7 @@ module Auth
       providers[I18n.t("auth.providers.microsoft")] = "microsoft" if Settings.key?(:microsoft_auth_id)
       providers[I18n.t("auth.providers.github")] = "github" if Settings.key?(:github_auth_id)
       providers[I18n.t("auth.providers.wikipedia")] = "wikipedia" if Settings.key?(:wikipedia_auth_id)
+      providers[I18n.t("auth.providers.openstreetmap")] = "openstreetmap" if Settings.key?(:openstreetmap_auth_id)
     end.freeze
   end
 end

Icon

Copy /app/assets/images/osm_logo.svg to /app/assets/images/auth_providers/openstreetmap.svg

Register new oauth2 application on osm.org with

• Redirect URIs: http://127.0.0.1:3000/auth/openstreetmap/callback
  (this could include many different URLs, such as: https://microcosms.apis.dev.openstreetmap.org/auth/openstreetmap/callback )

Permissions: Sign-in using OpenStreetMap (openid)

Confidential application

Copy client id + secret to settings.local.yml on microcosms rails instance

openstreetmap_auth_id: "1SDBnVj815zwFN6cV70TiQlC50...."
openstreetmap_auth_secret: "R3TWRC9GdxzQTHWvspugOc..."

Screenshots

Email and display name are not taken over. I don't have admin permission on osm.org to define an OAuth2 app with email reading permissions. Maybe this would also work out of the box.

Most importantly, users don't have to remember a separate logon + password for the dev instance, they can simply click on the "Log on with OpenStreetMap" button next time.

User settings show External Authentication using OpenStreetMap

[tomhughes]

This does not appear to be reporting an issue in this code base. Frankly I have no idea what it's trying to say or suggest but as best I can tell it's an operational request relating to one or more of the dev instances?

[mmd-osm]

I don't think it's an operational request, since we're not adding Gems or translations to the Rails port there, right?

So the use case here is: all non "osm.org production" Rails instances can benefit from the "osm.org production" login. Users don't need remember separate logins, which makes these instances more easily accessible for a wider audience.

Originally, this request came from OHM. We're constantly telling mappers not to map razed or dismantled railways, and map them in OHM instead. However, as it's a completely different project, they would need a new user + password, which is rather cumbersome.

This config lowers the barrier a bit so mappers can at least use their osm.org login for mapping in OHM.

[tomhughes]

So you want to add this to our code base even though we'll never use it? If you really want that then why not open a PR instead of pasting patches into an issue?

[mmd-osm]

At least we'll never use it in production, as it would be kind of pointless to log on to osm.org using osm.org.

It could be useful to get more people to try out new features on the development instance, such as microcosms. Today, it's very difficult to convince people to test anything, in particular, if that involves signing up on another site.

Ideally, the experience would be similar to the Discourse community forum.

[openbrian]

In the early early days of Microcosms, I actually coded this up to facilitate my own development. Would love to see it. Let me know if I should dig up old code.

[mmd-osm]

Thanks! We already have a branch with the required changes: https://github.com/mmd-osm/openstreetmap-website/tree/patch/oauthoidc

It’s almost exclusively configuration settings. Luckily there’s no need to do lots of coding here.