{"id":9,"date":"2005-09-17T03:38:54","date_gmt":"2005-09-17T03:10:26","guid":{"rendered":""},"modified":"2017-03-07T19:58:14","modified_gmt":"2017-03-07T19:58:14","slug":"flickr_api_changes","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/obz\/2005\/09\/17\/flickr_api_changes\/","title":{"rendered":"flickr api changes"},"content":{"rendered":"<p>Flickr has recently been acquired by Yahoo. This isn&#8217;t news, but as a result, they&#8217;ve changed the authentication mechanisms in the Flickr API. Previously, there was a simple API call with a username and password that would authenticate your session. This was simple, and great for application developers &#8211; we could manage user profiles and store usernames and passwords for the user.<\/p>\n<p>This has all changed with the new API.<\/p>\n<p>Now, there is no API call to authenticate. Instead, you need to call one method to get a session key, called a &#8220;frob&#8221;, giving your application&#8217;s unique identifier (an API Key), and password (the shared secret). Then you need to create a URL that the user must access (through a browser), which allows them to login through a web form. The status of their &#8220;frob&#8221; will then be updated so that they&#8217;re authenticated, and then API calls from the application will work using that &#8220;frob&#8221;.<\/p>\n<p>This sucks for application developers. It&#8217;s no longer to store profiles, usernames and passwords for users. And it obviously requires  delegation to a web browser before the application is usable. Now thanks to Gtk.Html and Gecko, this isn&#8217;t going to be horrible for Glimmr. Either way, it&#8217;s not particularly pleasant though.<\/p>\n<p>This also sucks for users. They can&#8217;t use profiles, and they&#8217;re going to have an application popping up a browser window when they try to do something. Any application I used that did this, I&#8217;d be extremely wary of. Why? well that brings me to my next point &#8211; is this more or less secure?<\/p>\n<p>If the aim of this is to increase security by removing the application from the loop, ie it never sees the user&#8217;s username or password, then it&#8217;s not entirely successful. It would be trivial to still obtain the username and password &#8211; just by spoofing the web page that&#8217;s popped up, displaying a &#8220;sorry, your password is incorrect, please try again&#8221; and forwarding that to the real log in page.<\/p>\n<p>I don&#8217;t think that&#8217;s one of the considerations &#8211; more likely it&#8217;s because due to Yahoo&#8217;s recent acquiring of Flickr. Now, new users must sign up to Yahoo before they get a Flickr account. It looks like there&#8217;s no Yahoo API to authenticate, and so we&#8217;re left visiting a web page and relying on server side sessions for authentication.<\/p>\n<p>Of course, I&#8217;m blaming all of this on Yahoo because they&#8217;re not in the room.<\/p>\n<p>Either way it&#8217;s not going to affect Glimmr that much. I can embed a Gtk.Html or Gecko widget in the application and use that, rather than using a seperate window (or still allow the user to choose that option), so it&#8217;s mostly just a pain in the neck. Of course the Glimmr code is, and will be open sourced, so any malicious code would be found &#8211; not that I&#8217;d even consider writing it.<\/p>\n<p>Wise up Yahoo!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Flickr has recently been acquired by Yahoo. This isn&#8217;t news, but as a result, they&#8217;ve changed the authentication mechanisms in the Flickr API. Previously, there was a simple API call with a username and password that would authenticate your session. This was simple, and great for application developers &#8211; we could manage user profiles and &hellip; <a href=\"https:\/\/blogs.gentoo.org\/obz\/2005\/09\/17\/flickr_api_changes\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">flickr api changes<\/span><\/a><\/p>\n","protected":false},"author":31,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/posts\/9"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/comments?post=9"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/posts\/9\/revisions"}],"predecessor-version":[{"id":20,"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/posts\/9\/revisions\/20"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/media?parent=9"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/categories?post=9"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/obz\/wp-json\/wp\/v2\/tags?post=9"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}