photobucket API Authentication

By -

I have been using REST APIs lately to communicate with various service providers via json.

One of them was particularly difficult to use: Photobucket.
Here are some of the reasons for this uncommon level of complexity:

There is no API
At this moment, previous sites such as http://photobucket.com/developer or http://developer.photobucket.com simply do not go anywhere but Photobucket generic start-up page
After querying the Photobucket team, it turns out that there is in fact an API and it is being updated so we should expect the developer area to work again in the near future.

Where is my API Key/Secret?
If you've already requested an access key in the past, good for you.
If not, you simply won't be able to use the API, unless you do one of the following:
- Contact Photobucket Facebook page (https://www.facebook.com/photobucket)
- Contact Photobucket Support site (http://support.photobucket.com/home)

Why am I having so much trouble authenticating?
So you have trying decrypting all documentation files and still no luck.
Make sure you are reading the documentation very carefully, cause you may be overseeing something.

The main requirements for first-step authentication are:
- Make an HTTP POST to http://api.photobucket.com/login/request
(Request URLs should NEVER contain an ending back slash)

- Do NOT use POSTFIELDS (POST body content). Add all parameters as a querystring on top of the URL

http://pic.photobucket.com/dev_help/WebHelpPublic/Content/Getting%20Started/Web%20Authentication.htm


Error #1 - Authentication failed nonce invalid
One of the parameters you have to send is "nonce". It is a unique value that must be send in all requests. It needs to be different for every user and every request. The idea is to create a completely random value that is guaranteed not to be repeated anytime soon. There are various ways to do this. One of them is using the time function, which retrieves the current timestamp. However, that alone might not be accepted by the service. So I usually add the md5 function on top of that (e.g. md5(time()) ).

Error #2 - Authentication failed timestamp invalid
Another parameter is the current timestamp in GMT. Fear not. Most frameworks have a function that tells this right away (for PHP it is the time() function).
There is quite a fuzz with this parameter, because sometimes the server timestamp is a bit off due to time zone differences, but since the time function retrieves the GMT value automatically, it shouldn't be a problem.
http://pic.pbsrc.com/dev_help/WebHelpPublic/Content/FAQ/FAQTech.htm?SearchType=Stem&Highlight=timestamp|Timestamp#Timestamp

Error #3 - Authentication failed signature check failed
This is by far the most irritating error. We have no idea what is happening because creating the base string and the signature is so complex and the documentation is not completely transparent.

Some pointers:

- urlencode or rawurlencode your parameters

- "Sort the parameters by name lexicographically" which means that all parameters MUST be in alphabetic order or you will get this error

- base 64 encode your signature after running the hmac sha1 algorithm

- set rawurlencode to true in the hash_hmac function

Complete anonymous access request function (from my Photobucket plugin)
function photobucket_stepone_requesttoken()
{
    //make anonymous post request
    $url = "http://api.photobucket.com/login/request";
    
    //gather up parameters in the right order
    $parameters = array(
        'format' => 'json',
        'oauth_consumer_key' => rawurlencode(get_option('photobucket-apiid')),
        'oauth_nonce' => rawurlencode(md5(time())),
        'oauth_signature_method' => rawurlencode('HMAC-SHA1'),
        'oauth_timestamp' => rawurlencode(time()),
        'oauth_version' => rawurlencode('1.0')
    );
    
    //build the query string
    $httpquery = http_build_query($parameters);

    //create the base string
    $basestring = rawurlencode("POST") . '&' . rawurlencode($url) . '&' . rawurlencode($httpquery);

    //create the signature
    $sign = base64_encode(hash_hmac("sha1", $basestring, get_option('photobucket-apisecret') . "&", true));

    //add the parameters and the signature to the url
    $url = $url . '?' . httpquery . '&oauth_signature=' . rawurlencode($sign);

    //make the post
    $result = photobucket_makehttprequest($url, "POST");
    return $result;
}


Main Consumer Authentication Documentation
http://pic.photobucket.com/dev_help/WebHelpPublic/Content/Getting%20Started/Consumer%20Authentication.htm


See my question in stack overflow

Comments

Post a Comment

Popular posts from this blog

Breaking down document locking in SharePoint

By -
Image
This is a topic I've been meaning to discuss in a while. We open, change and close documents almost every day, and sometimes we collaborate with other people at the same time on those documents. SharePoint brings all co-authoring features we need, straight out-of-the-box, but sometimes, there are problems. While things are starting to look better on the cloud side, the concept of document locking is still very much up-to-date and understanding how it works and what to do when things go wrong is crucial. In an article that has since disappeared the Microsoft Knowledge Base (but still available here ), Microsoft explains it best: When a document is opened by a client program, Windows SharePoint Services puts a write lock on the document on the server. The write lock times out after 10 minutes. Users cannot modify the document during the time when the document is locked. In a scenario where the program that opens the document unexpectedly quits or crashes and you try to open the do
Read more

Working around X-Frame-Options for iframes

By -
Image
The problem: One of the first things we noticed after migrating to SharePoint 2013 was that our iframes have stopped working, giving the error: "Refused to display 'http://contoso/pages/home.aspx' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'." Quickly we could see that this is in fact a security mechanism to prevent click-jacking and others: "The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites." Soon we realized that, starting SharePoint 2013, an HTTP Module is adding the header " X-Frame-Options " by default, with the value " SAMEORIGIN ". This is effectively preventing the rendering of pages outside the scope of the current web application. The (attempted) solution: So what to do?
Read more

Document ID not being generated

By -
Image
Problem In a scenario where we have many document Content Types, we may want to enable Document ID - aka "Permanent Links" - which is a feature in SharePoint that assigns a specific ID for each document. That ID never changes even if the document is renamed or moved to another location. In this scenario, the Document ID field was being generated for some libraries/content types, but not others, which is a surprisingly common problem. Background There are several stages we need to go through to enable use this mechanism. Stage 1 We enable the feature in the Site Collection Features. Stage 2 Under Site Collection Administration > Document ID Settings, we need to enable the assignment and pick a prefix. The IDs use the format: PREFIX-LISTID-LISTITEMID ( ref ) Where: PREFIX: the preconfigured prefix for the site collection, which can be any set of numbers and letters between 4-12 characters LISTID: the property docid_msft_hier_listid of the list
Read more