Api using Oauth and image URL's

matthewpjw

I've been integrating smugmug in to an website to allow users to move photos to and from smugmug, the website is using oauth to authenticate with smugmug. (I'm using C# and should be able to release my smugmug/Oauth classes if anyone is interested...)

When I get an image and get the url's for the various sizes from smugmug it seems that the user must hold a smugmug cookie within their browser to access the image, or smugmug returns a 404 to the browser?

How do I use the API to return an image url that is valid without the browser being directly authenticated with smugmug???


Matt

jfriend

matthewpjw wrote:

I've been integrating smugmug in to an website to allow users to move photos to and from smugmug, the website is using oauth to authenticate with smugmug. (I'm using C# and should be able to release my smugmug/Oauth classes if anyone is interested...)

When I get an image and get the url's for the various sizes from smugmug it seems that the user must hold a smugmug cookie within their browser to access the image, or smugmug returns a 404 to the browser?

How do I use the API to return an image url that is valid without the browser being directly authenticated with smugmug???


Matt

If the URL is to a publicly available image (gallery not password protected and image not marked hidden and external linking enabled on the gallery and the image size enabled for public viewing), then the URL should work in any browser without a cookie. If the URL is restricted for any of those previous reasons, then it requires proper permissions/authentication before it can be accessed. You probably just need to check the settings on the gallery or image.

matthewpjw

jfriend wrote:

If the URL is to a publicly available image (gallery not password protected and image not marked hidden and external linking enabled on the gallery and the image size enabled for public viewing), then the URL should work in any browser without a cookie. If the URL is restricted for any of those previous reasons, then it requires proper permissions/authentication before it can be accessed. You probably just need to check the settings on the gallery or image.

Surely the point of authenticating with oauth and capturing the users token is so the api gives out url's that are accessable without aving to have exteral lnking or other features switched on?

jfriend

matthewpjw wrote:

Surely the point of authenticating with oauth and capturing the users token is so the api gives out url's that are accessable without aving to have exteral lnking or other features switched on?

But you asked for an URL that would work without a token. If you don't have external linking on, there are no URLs that are accessible by anyone without a proper authentication cookie. If you have the authentication credentials you should be able to access things. If you do not and the URLs are not configured by the owner to be open to the public, then you can't get in. That's the way it's supposed to work. There are no super secret URLs that you can get with oauth that then bypass all gallery security settings and work anywhere without credentials.

darryl

jfriend wrote:

But you asked for an URL that would work without a token. If you don't have external linking on, there are no URLs that are accessible by anyone without a proper authentication cookie. If you have the authentication credentials you should be able to access things. If you do not and the URLs are not configured by the owner to be open to the public, then you can't get in. That's the way it's supposed to work. There are no super secret URLs that you can get with oauth that then bypass all gallery security settings and work anywhere without credentials.

Right. Super-secret URLs are bad. I would expect that Oauth would set the proper cookie for you.

jfriend

darryl wrote:

Right. Super-secret URLs are bad. I would expect that Oauth would set the proper cookie for you.

Perhaps you can describe how you're using Oauth so someone could help further. Without knowing what you're trying to do, we can't really offer much advice.

Oauth by itself is generally used to give a 3rd party temporary access to some of your protected resources without having to give the 3rd party your login credentials (e.g. a book printer access to your photos so they can use them to print a book for you).

darryl

jfriend wrote:

Perhaps you can describe how you're using Oauth so someone could help further. Without knowing what you're trying to do, we can't really offer much advice.

But he did!

matthewpjw wrote:

I've been integrating smugmug in to an website to allow users to move photos to and from smugmug, the website is using oauth to authenticate with smugmug.

To me it seemed clear that he wants to let SmugMug users login on his website (with Oauth) and move their images to/from SmugMug. So, they'll need the cookie to be able to see their own images and select them for exporting to his website.

If Oauth gives you the right cookie (and I don't see any reason why it shouldn't -- they're your photos) this should work.

jfriend

darryl wrote:

But he did!



To me it seemed clear that he wants to let SmugMug users login on his website (with Oauth) and move their images to/from SmugMug. So, they'll need the cookie to be able to see their own images and select them for exporting to his website.

If Oauth gives you the right cookie (and I don't see any reason why it shouldn't -- they're your photos) this should work.

It depends upon how his app works in the browser and what the sequence of events is (that's what we would need to know). For most apps, the user is already logged into Smugmug so they would already have a cookie there and would already have access privileges to their own URLs. I don't know what smugmug.com cookies the Oauth login screen does or doesn't set after a successful oauth login. If one had an app to watch, it would be fairly easy to see what it does.

matthewpjw

jfriend wrote:

It depends upon how his app works in the browser and what the sequence of events is (that's what we would need to know). For most apps, the user is already logged into Smugmug so they would already have a cookie there and would already have access privileges to their own URLs. I don't know what smugmug.com cookies the Oauth login screen does or doesn't set after a successful oauth login. If one had an app to watch, it would be fairly easy to see what it does.

The Oauth process does set a cookie and the whole process works fine untill a user opens up our website on another browser or deletes their cookies, at that point the user doesn't see thumbnails of their image when browsing smugmug. We also integrate with Facebook, Flickr and Picasa and don't have this issue.

It sounds like its a case of educating the end user - it should be easy to detect the 404 that is returned and ask them to log in again though.

Matt