Hi, I just joined the forum and was looking into how to use oAuth and the API. I have been playing around with the javascript oAuth library found here http://oauth.googlecode.com/svn/code/javascript/. I've never used oAuth before and am confused on a few things. The example page from the above link has a "Get Request Token" form which generates an oauth_timestamp, oauth_nonce, oauth_signature, oauth_token and oath_token_secret using HMAC-SHA1. It then has an "Authorize" form which takes the request token value and sends it to http://api.smugmug.com/services/oauth/authorize.mg to bring up the SmugMug Authorize page where i click on the Authorize button and my App gets authorized. That's all good. What I don't understand is what do I do next????

So my app is authorized. Now, lets say, I want to create a new album. Using http://api.smugmug.com/services/api/json/1.3.0/ and method=smugmug.albums.create, where do I get the required oauth arguments from? Do i have to generate them each time I make one of these API calls or do i use the same values that I used to authorize the app in the first place? Sorry if this sounds totally basic but I've never done something like this before an I'm totally lost and haven't found any good examples of how to do it. :(

Any help would be much appreciated.

Thanks!

1. use your OAuthSecret and APIKey and request a temporary ( < 30 min ? ) token Id/Secret with smugmug.auth.getRequestToken

2. generate an authorization url using your APIkey, temporary Token Id/Secret, Access level, and Permission Level

3. ask user authorize your app via the above url

4. use your OAuthSecret, APIKey, temp Token Id and Secret, call smugmug.auth.getAccessToken for a persistent Token ID and Token Secret

5. use your OAuthSecret, APIKey, and persistent Token ID and Secret for all subsequent requests


You'll need to juggle a persistent token ID & Secret pair per smugmug user

The persistent token ID & Secret are valid until your application forgets them, your OAuthSecret/APIKey changes, or the user changes/sacks your app in their control panel.

The perm and temp Token Id/Secret are supposedly keyed to only work with your OAuthSecret and APIKey

Thank you for replying! You make it sound so easy. I just have a few things that are still unclear. Where does the oauth_signature value come in and from where?

Also, once I have the persistent Token ID and Token Secret, do I still need to generate and send a unique oauth_nonce and oauth_timestamp each time I make an API call?

Thanks!

Quote:

Originally Posted by lmissak Thank you for replying! You make it sound so easy. I just have a few things that are still unclear. Where does the oauth_signature value come in and from where? Also, once I have the persistent Token ID and Token Secret, do I still need to generate and send a unique oauth_nonce and oauth_timestamp each time I make an API call? Thanks!

The signature is based on the timestamp and a nonce - both should change every request.

The lib really should be managing these details for you. the read me for that lib has a nice warning: 'This library isn't as useful as you think it's going to be.'

Try building a small test app using a mature library ( phpSmug isn't sexy, but works for me ) - once you have a reference, then maybe work on the javascript library so it manages the minutia before deploying an app using it

Ha ha, yes i saw the warning. I did download phpSmug and am starting to play around with it. Thank you for all the info you've given me. It really cleared up some blind spots I had.

Thanks again!