Wednesday, August 29, 2012

Flickr API Authentication Pitfalls

Or Things That I Don't Think Are Clear Enough in the Flickr Documentation, I do accept however that they are (may be) standards documented elsewhere on the net. Examples are in PHP.
  1. Your first request, to request the Request Token token (no, that is not a typo), should be SHA1 hashed using your API Secret (AKA Consumer Secret) followed by an ampersand as the key, since you don't have a Token Secret yet. ie:
     hash_hmac('sha1', $base, "$secret&", true)
  2. Your second request, for an Access Token, should be hashed using your API Secret followed by an ampersand followed by the Token Secret returned in step one as a key. After this step you should start using the Token Secret returned by this step.
  3. The "base string" to be hashed should be the exact query string (including both equal signs and ampersands, alphabetically ordered by name, values url encoded) url encoded. ie, query values should be url encoded twice, leading oauth_callback values to look like:
    oauth_callback%3Dhttp%253A%252F%252Fwww.example.com%26...
  4. The hash should be a url encoded base64 encoded binary, not hex as is the PHP default, so you need to include true as the last hash_hmac parameter, ie:
    urlencode(base64_encode(hash_hmac('sha1', $base, "$secret&$tokensecret", true)))
  5. The oauth_nonce is a random eight digit integer, used to make each call unique.

No comments: