Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API users should use api.openstreetmap.org host #951

Open
Firefishy opened this issue Sep 6, 2023 · 9 comments
Open

API users should use api.openstreetmap.org host #951

Firefishy opened this issue Sep 6, 2023 · 9 comments
Labels
service:api issues related to the API

Comments

@Firefishy
Copy link
Member

Currently some API users use www.openstreetmap.org as the API host, they should switch to using api.openstreetmap.org

All editors should use api.openstreetmap.org as the API host.

Linked: #950

@Firefishy
Copy link
Member Author

Firefishy commented Sep 6, 2023

This ticket could be used for tracking requests with editors.

@mmd-osm
Copy link

mmd-osm commented Sep 15, 2023

We seem to have an inactive Apache rewrite rule that redirects API traffic to the api.* host. I couldn't really figure out why it hasn't been used in the last 10 years. Perhaps it has caused some issues with some clients, that were not expecting a redirect.

https://github.com/openstreetmap/chef/blob/db5bd546be847bd5264dd09baf473dda96ea7810/cookbooks/web/templates/default/apache.frontend.erb#L197-L208

@tomhughes
Copy link
Member

The commenting out predates chef so I can't say for sure though I do remember adding that but my guess is that the main culprint was curl (or libcurl based things) as it is infamous for not following redirects by default.

@tyrasd
Copy link
Member

tyrasd commented Sep 30, 2023

I'm assuming that the OAuth2 endpoints are not considered to be "part of the API" in this context, or are they?

@mmd-osm
Copy link

mmd-osm commented Oct 1, 2023

OAuth2 endpoints don't seem to work on api.openstreetmap.org. I didn't manage to get a new access token, nor validate an existing one using the introspection endpoint. I'm getting a 301 redirect to https://www.openstreetmap.org/oauth2/token and then 404 when the client tries to send a GET instead of POST.

@tomhughes
Copy link
Member

Bear in mind that currently api.openstreetmap.org just redirects to www.openstreetmap.org and curl at least doesn't preserve authorization headers across the redirect - at least that was the problem I encountered testing with /oauth2/token/info.

I haven't managed to find a way to make the introspection endpoint work at all so I haven't been able to look into what is going on with that but it may be something similar.

@mmd-osm
Copy link

mmd-osm commented Oct 6, 2023

I'm using introspection in a mod_oauth2 Apache module config. An Overpass API server acts as a resource server, and can only be used with a valid Bearer token, originating from osm.org and issued for a certain client application.

This is how introspection looks like in Postman: I'm using OAuth2.0 for authorization. Note that the Bearer token in the HTTP header needs to be different from one in the HTTP body.

image

tyrasd added a commit to openstreetmap/iD that referenced this issue Oct 10, 2023
danieldegroot2 added a commit to openstreetmap-polska/openaedmap-frontend that referenced this issue Oct 11, 2023
Use `api.openstreetmap.org/api/` -and HTTPS- instead of `www.openstreetmap.org/api/*`.

(Is: openstreetmap/operations#951)
eserte added a commit to eserte/bbbike that referenced this issue Oct 12, 2023
LaoshuBaby added a commit to geo-yuheng/Yuheng that referenced this issue Oct 28, 2023
@gravitystorm
Copy link
Collaborator

Currently some API users use www.openstreetmap.org as the API host, they should switch to using api.openstreetmap.org

I don't understand the point in doing this - I think I've either missed the explanation, or it hasn't yet been explained.

The linked issue suggests that different timeouts, but that can either by handled by the application, or be different based on the URL paths.

So what advantage is there in having two different domains for the same application?

starsep pushed a commit to openstreetmap-polska/openaedmap-frontend that referenced this issue Nov 14, 2023
Use `api.openstreetmap.org/api/` -and HTTPS- instead of `www.openstreetmap.org/api/*`.

(Is: openstreetmap/operations#951)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
service:api issues related to the API
Projects
None yet
Development

No branches or pull requests

7 participants