OAuth 1.0a and HTTP Basic Auth shutdown on OpenStreetMap.org

In 2024, the OSMF Operations Working Group (OWG) is retiring OAuth 1.0a and HTTP Basic Auth on OpenStreetMap.org. These are technical ways for applications to authenticate users with the OSM website or API. OAuth 1.0a and HTTP Basic Auth have been deprecated since 2023, as OAuth 2.0 is now the standard authorization method for most systems.

There are three key dates in the transition process:

  • March 1st, 2024: New OAuth 1.0a application registrations were disabled. Existing applications were not impacted. HTTP Basic Auth was not impacted.
  • May 1st, 2024: System administrators will start brownouts to find applications that are still using OAuth 1.0a or HTTP Basic Auth.
  • June 1st, 2024: OAuth 1.0a and HTTP Basic Auth will be shut down.

Retiring these authentication methods is necessary because of security concerns, and the complexity of maintaining so many authorization implementations, including ones that rely on unmaintained components.

How does this impact me as a developer?

If you are a developer of an application using OAuth 1.0a or HTTP Basic Auth to log in to the OpenStreetMap.org website, you might need to make some changes to switch to OAuth 2.0. Fortunately, this is a well-supported industry standard.

If your application only makes read calls to the API, authorization is optional. For rate-limiting purposes, it is still a good idea to add authorization to your requests, but it is not required. If your application is a website using OSM for logins, making use of OAuth 2.0 is much easier as it is much better supported because so many other sites use it. It also avoids problems like users ending up with many tokens in their list on the website.

If you are developing software that edits using the API and is run locally, you may need to make code changes. All common languages have libraries that deal with OAuth 2, and libraries are the preferred choice for any authorization. You can also use Zverik’s library for command-line tools, or write your own shell script of about a dozen lines.

You should be able to find lots of examples online of OAuth 2 client implementations in your language. If you want to get more detailed information or ask technical questions, please use the GitHub ticket. Here, the OWG also tracks the applications requiring modification to use OAuth 2.0.

How does this impact me as a mapper?

Most mappers will notice no change. The transition will not affect how you log in to your OSM account or use the website. iD and JOSM have supported OAuth 2.0 as the default authentication method for some time. If you use your OSM account to log in to a third-party site like the HOT Tasking Manager, MapRoulette, or HDYC, you will not be impacted as those sites have already moved to OAuth 2.0. Read-only API access does not require authorization at all.

The OpenStreetMap Foundation is a not-for-profit organisation, formed to support the OpenStreetMap Project. It is dedicated to encouraging the growth, development and distribution of free geospatial data for anyone to use and share. The OpenStreetMap Foundation owns and maintains the infrastructure of the OpenStreetMap project, is financially supported by membership fees and donations, and organises the annual, international State of the Map conference. Our volunteer Working Groups and small core staff work to support the OpenStreetMap project. Join the OpenStreetMap Foundation for just £15 a year or for free if you are an active OpenStreetMap contributor.

This post is also available in: French Japanese Spanish Greek Arabic