-
Notifications
You must be signed in to change notification settings - Fork 136
API Authentication
Work In Progress!
This page describes the authentication mechanism for the HTTP API.
Users of the Tasking Manager web interface "log into" the application using their OSM credentials. Tasking Manager uses Oauth for that. What Tasking Manager gets from OSM is the user's id and display_name.
What is important to note and is that Tasking Manager doesn't have its own authentication system. And Tasking Manager doesn't have user passwords in its database. Using OAuth OSM grants Tasking Manager access to the user details.
For the API we need a way to identify the application that sends requests to change states in Tasking Manager (change task states, …). We cannot rely on OAuth, because users of the application should not need to "log in". Users of the application may not even be OSM users.
One way to solve the problem involves using HTTP Basic with tokens.
Roles:
- TM = Tasking Manager
- TM Admin = the person who administrates TM
- App = the 3rd-party web application based on the TM API
- App Admin = the person who administrates App
Workflow:
- App Admin creates an OSM user for App
- App Admin logs into TM using that OSM user
- App Admin goes to
/osmtm/tokento get a token - App Admin configures App to use OSM user + token as HTTP Basic credentials