Flickr API Notes

Authorization

Logic

isUserCookieSet
		|_yes->
		|_no->

OAuth

flickr.auth.oauth.getAccessToken
API Explorer : flickr.auth.oauth.getAccessToken
flickr.auth.oauth.checkToken
API Explorer : flickr.auth.oauth.checkToken

Signing A Request

1. All three parts of the Base String and the two parts of the key must be URL-encode according to RFC 3986. In PHP this requires rawurlencode alone as of PHP 5.3.0. Prior to that you need something like Example 1.
2. The parts are concatenated with an ampersand.
3. The whole string is then Base64 encoded.

Example 1

function urlEncodeRFC3986($input){
	// Unencode tildes
	return str_replace('%7E', '~', rawurlencode($input));
}

Error Codes

96: Invalid signature
	The passed signature was invalid.
97: Missing signature
	The call required signing but no signature was sent.
100: Invalid API Key
	The API key passed was not valid or has expired.
105: Service currently unavailable
	The requested service is temporarily unavailable.
111: Format "xxx" not found
	The requested response format was not found.
112: Method "xxx" not found
	The requested method was not found.
114: Invalid SOAP envelope
	The SOAP envelope send in the request could not be parsed.
115: Invalid XML-RPC Method Call
	The XML-RPC request document could not be parsed.
116: Bad URL found
	One or more arguments contained a URL that has been used for abuse on Flickr.

Links

lib_oauth.php Notes

/* lib_oauth.php
oauth_get_auth_token
	oauth_sign_get
		oauth_sign
			oauth_generate_nonce
			oauth_generate_timestamp
			oauth_build_signature
				oauth_normalize_http_url
				oauth_get_signable_parameters
				oauth_hmac_sha1
		oauth_normalize_http_url
		oauth_to_postdata
	oauth_url_to_hash

*/
$keys = array(
		'oauth_key'	=> 'd1f239094b90c9d6511eb8f0568ced1b',
		'oauth_secret' => '2d91309057f0c245'
);
$url = 'http://www.flickr.com/services/oauth/request_token?oauth_callback=http%3A%2F%2Fruneapps.eye-fi.dev%2Fflickr%2Fapi-callback.php';

$ok = oauth_get_auth_token($keys, $url);

echo '<pre>$GLOBALS[oauth_last_request]: '.print_r($GLOBALS['oauth_last_request'], true)."</pre>\n";

if ($ok)
{
	$url = oauth_get_auth_url($keys, "http://www.flickr.com/services/oauth/authorize");

	echo 'access url is <a href="'.$url.'">'."$url</access>\n";
	exit;
}else{
	die("something went wrong");
}

Blogging

Adventures in OAuth and the Flickr API

I was very happy to take the chance to create my own client implementation of the Flickr API using OAuth. Playing with OAuth for the Flickr API is fun and far more challenging than I expected though. This is unfortunately because their documentation is lacking to say the least. Visiting the official OAuth site didn’t help much as the spec allows for different implementations and thus couldn’t truly help in clearing up the situation for the Flickr implementation. In addition to that Flickr also does not seem to be strictly following the spec regarding what OAuth defines for signing a request using SHA1. This leads to much speculation, research of other clients written for the API that already work and a great deal of trial and error. In essence your almost better off not reading the Flickr API OAuth documentation at all. Ultimately I believe you can have three results in this type of experience:

1. You can ultimately succeed in spite of the Flickr API documentation.
2. You give up in frustration and just use a pre-existing class which negates much of the learning experience.
3. You hunt down and kill those in charge of the documentation after taking over their systems and fixing the docs based on their notes taken under torture which lasts several days after acquiring the info and verifying it works.

Though the third option is horribly tempting and potentially the most (morbidly) satisfying option, I was able to partake of the first option and am happy to share a few notes which may save many hours of research and frustration and possibly the lives of the Flickr API documentation team. Following are my signing the request notes which was the major part of my frustration in this adventure.

• The BaseString is comprised of: the HTTP verb (usually GET), the URL for the request in question sans query string, all query parameters sorted by key†. Each of these parts are URL-encoded according to RFC 3986‡ and concatenated with an ampersand (&).
• The Key is comprised of: the URL-encoded‡ app secret and URL-encoded‡ current OAuth token secret if it exists or an empty string concatenated with an ampersand. Not using the OAuth token secret when signing your request only happens when getting the request token as the initial part of the OAuth process.
• The BaseString is used as the data portion of a binary HMAC-SHA1 keyed hash.
• The hash is then Base64 encoded and the resulting signature is added to the URL query string with with the key "oauth_signature" sans quotes of course.

Edit: Check out my FlickrExample on Amazon Web Services EC2!

† According to the OAuth spec, parameters are first sorted by key then for matching keys sorted by value. Though with Flickr the secondary sort should not be necessary.
‡ The Flickr API does not mention RFC 3986. And in fact you must not only URL-encode according to RFC 3986 but must additionally replace all + symbols with a space.

Signing Your Request

git clone https://runeimp@services.eye.fi/git/dev.git work

users_add_with_activation_code
users_add_with_mac

obj method version

usersAdd
usersAddActivationCode
usersAddMac

• [..]
• API_Notes.textile
• AWS_Notes.textile
• Brightcove_Notes.textile
• CloudFoundry_Notes.textile
• eFax_Services_2009-02-20_v0001.txt
• Facebook_API_Samples.php
• Facebook_Notes.textile
• Flickr_API_Notes.textile
• Google_Libraries_API.textile
• LinkedIn_API.textile
• Matrix_URI_Notes.textile
• OAuth_DB.textile
• OAuth_Notes.textile
• PGP-GPG_Notes.textile
• RuneAuth.textile
• Twitter_API_Notes.textile
• XMPP_Notes.textile
• YouTube_API.textile
• YouTube_API_old.textile
• YQL-Yahoo_Query_Language.textile