Invalid\expired token

masterghimasterghi Registered Users Posts: 12 Big grins
edited January 17, 2012 in SmugMug API Support & Integrations
Hi

I am trying to get oAuth authentication to work with SmugMug. So far I am able to get the request token from the site, through both methods (getRequestToken.mg and smugmug.auth.getRequestToken).

After I have the token and token secret, I create the request to get the access token. The application has been allowed once and I assume I don't have to authorize every single time.

Here are the parameters that I am sending to the smugmug.com.getAccessToken method:
APIKey=<myKey>
method=smugmug.auth.getAccessToken
oauth_consumer_key=<mykey> - this is the same as APIKey
oauth_nonce=random string freshly generated
oauth_signature_method=HMAC-SHA1
oauth_timestamp= number of seconds from Jan 1st 1970
oauth_token=the token received when calling getRequestToken
oauth_signature=<signature>
-- the signature is computed with all the parameters from above (including the oauth_token).

When I make the call to get the token, I get this reply:
{
"stat":"fail",
"method":"smugmug.auth.getAccessToken",
"code":36,
"message":"invalid/expired token"
}

Any ideas why the token is considered invalid / expired? I just got it back from the server. :scratch

Comments

  • cholmancholman Registered Users Posts: 4 Beginner grinner
    edited December 28, 2011
    Hard to tell where you are in the process. There are three steps to the OAuth process. The first is requestToken - you seem to have that, important in this step is the requestToken for the next step and the reuestSecret needed in the third step - so save it somewhere. Then you need to have the user auth your app - so you send them to the auth site with the reuestToken. Once the user auths smugmug will call back to the URL in your key settings (control panel) this is the way i did it. Then using the authToken returned from smugmug from the user auth and the requestSecret from the first step you perform the third step - the call to Access Token. The response will have a authToken and an authSecret. These need to be stored for the user so you can perform transactions with them in the future - they do not expire unless the user revokes. If you are the user then you will see the permission below your API keys on the control panel. Now all of this needs to happen in a short time period as the reuestToken/reuestSecret will expire.

    I am using Java and can send you examples if you want.
  • masterghimasterghi Registered Users Posts: 12 Big grins
    edited December 28, 2011
    Thank you for your reply.

    I do have the first token (the request token). However, I am not building a web site so there is no way for SmugMug to call back to the site.

    The application is however authorized (step 2 in your reply).

    And I believe SmugMug is using oAuth 1.0 which does not have the "oauth_verifier" notion.

    If you have an example that may help!
  • suntsusuntsu Registered Users Posts: 37 Big grins
    edited December 29, 2011
    Hi,
    I had the very same problem with the google oAuth lib and my own oAuth implementation(both in c#).
    Have a look at Documentation smugmug oAuth with c#(Sample included)

    cheers
    manuel
    MySmug, my Windows phone 7 smugmug client.
    News about can be found on my website.
  • cholmancholman Registered Users Posts: 4 Beginner grinner
    edited December 29, 2011
    That is a good example - i can help you if a web transaction. I will clean up my code and post. You are correct they are not using oauth_verifier. So all you need in the 3rd step is the access token and request token secret. In the C# example i do not see where the access token is inserted in the accessToken process - but i am not using that language or library.

    Also i have noticed that Smugmug is not consistent in the OAuth implementation on reuests - for example you can perform smugmug.images.getInfo w/o secrets in the request (consumer or auth_token secrets) but you must have them for smugmug.images.getStats (which does not seem to return correct data anyway). I am including in all my transactions without any issue.

    Code for Java using the Struts framework and Jersey for Json/OAuth can be found at http://www.calandva.com/holmansite/do/myblog/blogging?date=20111229

    I detailed out the classes for OAuth process and then how to use the API
  • masterghimasterghi Registered Users Posts: 12 Big grins
    edited December 29, 2011
    suntsu wrote: »
    Hi,
    I had the very same problem with the google oAuth lib and my own oAuth implementation(both in c#).
    Have a look at Documentation smugmug oAuth with c#(Sample included)

    cheers
    manuel

    Hey Manuel and Cholman!

    Thank you very much for your samples! thumb.gif

    I now know what I was doing wrong: not sending the oauth_token_secret when getting the access token.

    However, the oAuth spec does not mention sending back the oauth_token_secret. And neither does the documentation on the SmugMug site. Is there a way to ask for an update of the documentation on SmugMug?

    Your help guys is much appreciated!!!
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited January 17, 2012
    The oauth_token_secret should never be sent as an API parameter EVER.

    If you are having problems, it's probably due to lack of understanding either OAuth or the library that you are using.
    David Parry
    SmugMug API Developer
    My Photos
Sign In or Register to comment.