log inhelp

 | 

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Partigi API - authentication

Page history last edited by Fernando Blat 14 years, 2 months ago

Go back to the main page

 

OAuth is the authentication method implemented in Partigi in order to sign requests and identify which client application is accessing to the API, and authenticate users and client applications to allow write-mode operations, such as create reviews, add friends, etc.

 

If you are not familiar with OAuth, you can read this OAuth beginner's guide and the OAuth specification. Also, you can find a lot of libraries that will help you to integrate OAuth in your code.

 

Registration for OAuth applications is available at http://www.partigi.com/applications. There, you can register your application and Partigi will provide you with a consumer key and a consumer secret.

 

These are the OAuth backend urls: 

 

  • Request Token URL: http://www.partigi.com/oauth/request_token
  • Access Token URL: http://www.partigi.com/oauth/access_token 
  • Authorize URL: http://www.partigi.com/oauth/authorize

  

Access modes

 

Once you have your keys you have to sign or authenticate your requests, depending on the method you are going to call (every method explanation page indicates the access mode).

 

Read-write mode

 

If the access mode is read-write you have to get authorization from the users and get a valid access token with which sign the requests as indicated by OAuth specification.

 

Read-only mode

 

If the access mode is read-only, you have to sign your requests in the same way you would do with the original OAuth specification, but omitting the oauth_token token parameter both in the Authorization header and in the signature calculation.

 

For example, a signature base string would be (notice that the oauth_token parameter is omitted in the string):

 

 GET&http%3A%2F%2Fpartigi.lan%3A3000%2Fapi%2Fv1%2Freviews%2Findex.xml&item_id%3D1%26item_type%3Dfilm%26oauth_consumer_key%3DkUvgQefaoUEtDEmuSQDM%26oauth_nonce%3Dme94bhgl3BxIQ4rbuc9muwCkg2r7ytfyCMu64h14KaM%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1265279601%26oauth_version%3D1.0

 

And the corresponding authorization header (notice that the oauth_token parameter is omitted in the header):

 

 OAuth oauth_nonce="me94bhgl3BxIQ4rbuc9muwCkg2r7ytfyCMu64h14KaM",         
       oauth_signature_method="HMAC-SHA1",         
       oauth_timestamp="1265279601",         
       oauth_consumer_key="kUvgQefaoUEtDEmuSQDM",         
       oauth_signature="it3QeMv3moF34no4ClB7%2FOvbQJw%3D",         
       oauth_version="1.0"

 

About access tokens expiration

 

Access tokens should never expire. An user's access token will be invalidated if the user explicitly revokes your application's authorization or i f Twitter suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended. In either case, your application should be able to handle token revokation gracefully.

 

Web applications and Client applications

 

We distinguish between web applications and client or desktop applications. In fact, nowadays you can only integrate OAuth in a web application, because the verifier code to get a valid access key is only obtained once the user has authorized the client application through a browser. We are planning to implement a PIN mode for desktop clients and mobile devices.

 

 

Go back to the main page

 

Comments (0)

You don't have permission to comment on this page.

Printable version