Flickr has recently been acquired by Yahoo. This isn’t news, but as a result, they’ve changed the authentication mechanisms in the Flickr API. Previously, there was a simple API call with a username and password that would authenticate your session. This was simple, and great for application developers – we could manage user profiles and store usernames and passwords for the user.
This has all changed with the new API.
Now, there is no API call to authenticate. Instead, you need to call one method to get a session key, called a “frob”, giving your application’s unique identifier (an API Key), and password (the shared secret). Then you need to create a URL that the user must access (through a browser), which allows them to login through a web form. The status of their “frob” will then be updated so that they’re authenticated, and then API calls from the application will work using that “frob”.
This sucks for application developers. It’s no longer to store profiles, usernames and passwords for users. And it obviously requires delegation to a web browser before the application is usable. Now thanks to Gtk.Html and Gecko, this isn’t going to be horrible for Glimmr. Either way, it’s not particularly pleasant though.
This also sucks for users. They can’t use profiles, and they’re going to have an application popping up a browser window when they try to do something. Any application I used that did this, I’d be extremely wary of. Why? well that brings me to my next point – is this more or less secure?
If the aim of this is to increase security by removing the application from the loop, ie it never sees the user’s username or password, then it’s not entirely successful. It would be trivial to still obtain the username and password – just by spoofing the web page that’s popped up, displaying a “sorry, your password is incorrect, please try again” and forwarding that to the real log in page.
I don’t think that’s one of the considerations – more likely it’s because due to Yahoo’s recent acquiring of Flickr. Now, new users must sign up to Yahoo before they get a Flickr account. It looks like there’s no Yahoo API to authenticate, and so we’re left visiting a web page and relying on server side sessions for authentication.
Of course, I’m blaming all of this on Yahoo because they’re not in the room.
Either way it’s not going to affect Glimmr that much. I can embed a Gtk.Html or Gecko widget in the application and use that, rather than using a seperate window (or still allow the user to choose that option), so it’s mostly just a pain in the neck. Of course the Glimmr code is, and will be open sourced, so any malicious code would be found – not that I’d even consider writing it.
Wise up Yahoo!