Omniauth-microsoft_graph correctly populates 'email' and 'name' fields used by OpenStreetMap.
It also uses updated endpoints for Microsoft identity provider.
Use email address returned by microsoft_graph provider as a verified address.
Upgrading exisiting users from windowslive to microsoft_graph:
- upon next login existing `windowslive` users will have to authorizei
OpenStreetMap application to "Read Your Profile," required for proper reading
of display name field.
The name of the identity provider in OSM is kept to 'windowslive':
- the entries in users table with `provider == 'windowslive'`
can be reused for microsoft_graph provider, since
the uid field is preserved. Users will not need to repeat the sign up process.
- OAuth2 callback is still `/auth/windowslive`, no updates to Microsoft Identity Provider portal
App registration are necessary.
This is required to allow the account settings screen, which now
uses the PATCH verb, to redirect to OmniAuth when the external
authentication provider is changed.
As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which
is the reason for requiring POST and most importantly got not
allowing GET requests to OmniAuth.
This replaces OpenID authentication, which is going away soon, but
provides an upgrade path where we can migrate users that already have
a Google OpenID setup to the new system transparently.
