Go back to the main page
OAuth is the authentication method implemented in Partigi in order to sign requests and identify which client application is accessing to the API, and authenticate users and client applications to allow write-mode operations, such as create reviews, add friends, etc.
If you are not familiar with OAuth, you can read this OAuth beginner's guide and the OAuth specification. Also, you can find a lot of libraries that will help you to integrate OAuth in your code.
Registration for OAuth applications is available at http://www.partigi.com/applications. There, you can register your application and Partigi will provide you with a consumer key and a consumer secret.
These are the OAuth backend urls:
- Request Token URL:
http://www.partigi.com/oauth/request_token
- Access Token URL:
http://www.partigi.com/oauth/access_token
- Authorize URL:
http://www.partigi.com/oauth/authorize
Access modes
Once you have your keys you have to sign or authenticate your requests, depending on the method you are going to call (every method explanation page indicates the access mode).
Read-write mode
If the access mode is read-write you have to get authorization from the users and get a valid access token with which sign the requests as indicated by OAuth specification.
Read-only mode
If the access mode is read-only, you have to sign your requests in the same way you would do with the original OAuth specification, but omitting the oauth_token
token parameter both in the Authorization header and in the signature calculation.
For example, a signature base string would be (notice that the oauth_token
parameter is omitted in the string):
GET&http%3A%2F%2Fpartigi.lan%3A3000%2Fapi%2Fv1%2Freviews%2Findex.xml&item_id%3D1%26item_type%3Dfilm%26oauth_consumer_key%3DkUvgQefaoUEtDEmuSQDM%26oauth_nonce%3Dme94bhgl3BxIQ4rbuc9muwCkg2r7ytfyCMu64h14KaM%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1265279601%26oauth_version%3D1.0
And the corresponding authorization header (notice that the oauth_token
parameter is omitted in the header):
OAuth oauth_nonce="me94bhgl3BxIQ4rbuc9muwCkg2r7ytfyCMu64h14KaM",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1265279601",
oauth_consumer_key="kUvgQefaoUEtDEmuSQDM",
oauth_signature="it3QeMv3moF34no4ClB7%2FOvbQJw%3D",
oauth_version="1.0"
About access tokens expiration
Access tokens should never expire. An user's access token will be invalidated if the user explicitly revokes your application's authorization or i f Twitter suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended. In either case, your application should be able to handle token revokation gracefully.
Web applications and Client applications
We distinguish between web applications and client or desktop applications. In fact, nowadays you can only integrate OAuth in a web application, because the verifier code to get a valid access key is only obtained once the user has authorized the client application through a browser. We are planning to implement a PIN mode for desktop clients and mobile devices.
Go back to the main page
Comments (0)
You don't have permission to comment on this page.