operations icon indicating copy to clipboard operation
operations copied to clipboard
verified publisher icon openstreetmap

API users should use api.openstreetmap.org host

Open Firefishy opened this issue 2 years ago • 12 comments

Currently some API users use www.openstreetmap.org as the API host, they should switch to using api.openstreetmap.org

All editors should use api.openstreetmap.org as the API host.

Linked: https://github.com/openstreetmap/operations/issues/950

Firefishy avatar Sep 06 '23 20:09 Firefishy

This ticket could be used for tracking requests with editors.

Firefishy avatar Sep 06 '23 20:09 Firefishy

We seem to have an inactive Apache rewrite rule that redirects API traffic to the api.* host. I couldn't really figure out why it hasn't been used in the last 10 years. Perhaps it has caused some issues with some clients, that were not expecting a redirect.

https://github.com/openstreetmap/chef/blob/db5bd546be847bd5264dd09baf473dda96ea7810/cookbooks/web/templates/default/apache.frontend.erb#L197-L208

mmd-osm avatar Sep 15 '23 20:09 mmd-osm

The commenting out predates chef so I can't say for sure though I do remember adding that but my guess is that the main culprint was curl (or libcurl based things) as it is infamous for not following redirects by default.

tomhughes avatar Sep 15 '23 21:09 tomhughes

I'm assuming that the OAuth2 endpoints are not considered to be "part of the API" in this context, or are they?

tyrasd avatar Sep 30 '23 15:09 tyrasd

OAuth2 endpoints don't seem to work on api.openstreetmap.org. I didn't manage to get a new access token, nor validate an existing one using the introspection endpoint. I'm getting a 301 redirect to https://www.openstreetmap.org/oauth2/token and then 404 when the client tries to send a GET instead of POST.

mmd-osm avatar Oct 01 '23 19:10 mmd-osm

Bear in mind that currently api.openstreetmap.org just redirects to www.openstreetmap.org and curl at least doesn't preserve authorization headers across the redirect - at least that was the problem I encountered testing with /oauth2/token/info.

I haven't managed to find a way to make the introspection endpoint work at all so I haven't been able to look into what is going on with that but it may be something similar.

tomhughes avatar Oct 05 '23 11:10 tomhughes

I'm using introspection in a mod_oauth2 Apache module config. An Overpass API server acts as a resource server, and can only be used with a valid Bearer token, originating from osm.org and issued for a certain client application.

This is how introspection looks like in Postman: I'm using OAuth2.0 for authorization. Note that the Bearer token in the HTTP header needs to be different from one in the HTTP body.

image

mmd-osm avatar Oct 06 '23 18:10 mmd-osm

https://www.openstreetmap.org/api/0.6/notes/16161 https://www.openstreetmap.org/api/0.6/notes/16161.json

Note responses still use https://www.openstreetmap.org/api/0.6/ URLs

Zaczero avatar Nov 03 '23 21:11 Zaczero

Currently some API users use www.openstreetmap.org as the API host, they should switch to using api.openstreetmap.org

I don't understand the point in doing this - I think I've either missed the explanation, or it hasn't yet been explained.

The linked issue suggests that different timeouts, but that can either by handled by the application, or be different based on the URL paths.

So what advantage is there in having two different domains for the same application?

gravitystorm avatar Nov 08 '23 11:11 gravitystorm