REST API 2.0 Authentication with CURL

suzeesuzee Beginner grinnerPosts: 3Registered Users Beginner grinner
Does anyone have a working example of how to get authenticated (i.e. get a Session ID) using CURL (in Windows or UNIX) and to then use the Session ID to get back JSON data about my Smugmug folders, galleries and photos.

Since the examples in the documentation are for Python, I have not been able to find a working example for getting a Session ID using CURL. I have made the following attempts, but they all return nothing.

curl -X POST https://api.smugmug.com/services/oauth/1.0a/authorize ^
--user suzee.parker@gmail.com:xxxxxxxxxxx ^

curl -X POST https://api.smugmug.com/services/oauth/1.0a/authorize ^
--user qtSsMxxxxxxxxxxxxxxxxxxxxxxtnqgX:3GKkKaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQJWq ^
-H "Content-Type: application/json; charset=UTF-8" ^
-H "Accept: */*"

curl -X POST https://api.smugmug.com/services/oauth/1.0a/authorize ^
-H "Content-Type: application/json; charset=UTF-8" ^
--user suzee.parker@gmail.com:xxxxxxxxxxx ^
--data grant_type=client_credentials

curl -X POST https://api.smugmug.com/services/oauth/1.0a/authorize ^
-H "Content-Type: application/json; charset=UTF-8" ^
--user qtSsMxxxxxxxxxxxxxxxxxxxxxxtnqgX:3GKkKaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQJWq ^
--data grant_type=client_credentials

curl -X POST https://api.smugmug.com/services/oauth/1.0a/getRequestToken ^
-H "Content-Type: application/json; charset=UTF-8" ^
--user suzee.parker@gmail.com:xxxxxxxxxxx ^
--data grant_type=client_credentials

curl -X POST https://api.smugmug.com/services/oauth/1.0a/getAccessToken ^
-H "Content-Type: application/json; charset=UTF-8" ^
--user qtSsMxxxxxxxxxxxxxxxxxxxxxxtnqgX:3GKkKaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQJWq ^
--data grant_type=client_credentials

I did find this example that returned some containing a SessionID:

curl -k "https://api.smugmug.com/hack/rest/?method=smugmug.login.withPassword" ^
^&EmailAddress=suzee.parker@gmail.com ^
^&Password=xxxxxxxxxxx ^
^&Version=1.1.1 ^
^&APIKey=qtSsMxxxxxxxxxxxxxxxxxxxxxxtnqgX

And I was able to use it to get back a web page from the Live API Browser.

curl "https://api.smugmug.com/api/v2/node/n8dg6K"
-H "X-Smug-SessionID: 743658d3320393a3b1ce8ccfa63de2e5"

But if I add a Header record requesting the data be returned as JSON,

curl "https://api.smugmug.com/api/v2/node/n8dg6K"
-H "X-Smug-SessionID: 743658d3320393a3b1ce8ccfa63de2e5"
-H "Accept: application/json"

I get this error:

{ "Code":401,"Message":"Unauthorized" }

So I ask again, has anyone successfully used the REST API with CURL?

Thanks, Sue

Comments

  • bwgbwg SmugMug Sorcerer Northern VAPosts: 2,119Administrators SmugMug Employee
    edited July 27, 2017

    Hi Sue,

    In order to authenticate with APIv2 you'll need to use OAuth, and in order to request response data in JSON, you'll need to provide an API Key (also required for OAuth). So the first step would be to request an API Key here: https://api.smugmug.com/api/developer/apply. (you'll need to be logged in to your account)

    OAuth doesn't use sessionIDs, instead it uses authorized tokens & secrets to generate a unique signature for each request. The process in a nutshell goes like this:
    1) Request a REQUEST token. The request must be signed with your APIKey and secret (the APIKey is also referred to as a consumer key)
    2) Send an authorization request for the REQUEST token. This will prompt the user to login and authorize the consumer application with certain access privileges. This request is not signed.
    3) Exchange the now authorized REQUEST token for an ACCESS token and secret. This request must be signed with the REQUEST token and secret as well as your consumer key+secret.

    Now the authorization and token exchange process is complete. Subsequent requests must be signed with the ACCESS token+secret as well as the consumer key+secret.

    If you are only accessing your own data, you can skip steps 1-3 as we automatically generate an ACCESS token+secret for accessing your own data. The token+secret can be found in your account settings under the privacy section > Authorized Services. Click the word 'token' next to your application name. If you need to request data on behalf of other users you will need to follow all the steps above. Our OAuth token exchange endpoints are listed here: https://api.smugmug.com/api/v2/doc/tutorial/authorization.html

    Signing an OAuth request is tricky, so cURL might not be the easiest approach though a quick google search does return a few options that might be useful. Twitter has an excellent writeup on what goes into generating a signature here https://dev.twitter.com/oauth/overview/creating-signatures. We highly recommend an established OAuth library to generate the signatures.

    Once you're generating an OAuth signed request, all you'll need to do to get JSON back is set the appropriate Accept header.

    Hope this helps get you going in the right direction. Let us know if you need anything else at api@smugmug.com

    Cheers,
    Lee

    SmugMug API Sorcerer

    Pedal faster
  • NimaiNimai Grin there, done that Austin, TXPosts: 555Registered Users Major grins

    How funny- this is exactly the topic I came to find some information about.

    Let me see if I understand correctly. Is there a way to access my own data using the API secret and not have to OAuth?

  • bwgbwg SmugMug Sorcerer Northern VAPosts: 2,119Administrators SmugMug Employee

    No. The "API Secret" (and api key, and token secret/key) are parameters used for signing an OAuth request.

    Pedal faster
Sign In or Register to comment.