Authentication best practice questions

Topics: Developer Forum
Feb 28, 2014 at 12:55 PM
Hi everyone,

I have a couple of questions regarding authentication. To better explain what information I'm after, here is what I intend to do:
  • A WinRT app for the Windows Store that connects to Flickr using authentication of my personal Flickr account to only pull Flickr assets associated with my account - including high resolution images only available through authentication
Obviously, when the app binary gets submitted to the store, it must already contain the authentication (the token) persisted in the app binary and its app package. This is where I have my questions:
  • With the above idea, it doesn't make sense to implement the OAuth authentication into the app, as the app only needs the already performed authentication credentials. How would I get the token (and whatever else I need) so the app can use it?
  • More generally for my understanding: is a token technically only associated with an API key and secret from Flickr's point of view?
  • In a broader sense, what is acceptable use of a single API key, secret and any associated authentication token? Can I use the same combination of credentials to play around in a console command line app? I am pretty sure Flickr wants developers to use a single API key per unique application only.
  • Will I get into trouble for distributing a Windows Store app that comes pre-authenticated with my Flickr account? I understand there may be a risk of someone downloading that app from the store and then dissect the app package and potentially stumbling across the API key and token to use it in malicious ways on my account. Any suggestions what to do about this?
I'm thankful for you sharing your thoughts on this.

regards,

Tobias W.
Coordinator
Mar 2, 2014 at 10:56 PM
The first thing that comes to mind when people as this kind of question is, "Should you really be using Flickr for this?"

If you are simply using Flickr to store high resolution images for your mobile application, which are not publicly available, and you are not including a link in your application to the Flickr page for these images (which seeing as they are not public you can't) then you are probably breaking the Flickr TOS.
Mar 2, 2014 at 11:37 PM
samjudson wrote:
The first thing that comes to mind when people as this kind of question is, "Should you really be using Flickr for this?"

If you are simply using Flickr to store high resolution images for your mobile application, which are not publicly available, and you are not including a link in your application to the Flickr page for these images (which seeing as they are not public you can't) then you are probably breaking the Flickr TOS.
Hi Sam,

the app would link back to the corresponding image page on Flickr (I intend to have the link open modern IE on Windows 8 with the link to the page).

The purpose of the app is not to hide the origin of the images or the affiliation of the images with their Flickr hosting.

Essentially, the app would not be any different in principle from the popular FlickRiver website with the main difference that the app is hard linked to my personal photography portfolio on Flickr instead of picking interesting images from a single specific Flickr group. Essentially, I want to create a way to show case my own images with a native viewing experience for a native Windows 8 app. I don't see how that violates the Flickr TOS.

Depending on how well I like what I can create for showing a customized, native Windows 8 viewing experience for my images, I might create a fork of the app that users can configure (per downloaded instance) to their own portfolio so they can hand around their Windows 8 tablet to show off their images. Problem is, Yahoo doesn't seem to give a XXXX about Windows Phone 8 or Windows 8.1, their newest changes to design and layout don't even work in IE11. So having a native app to show your images on a Windows 8.1 device is actually very desirable.

I've been a paying Flickr user for years and seeing how other, new services like 500px cater much better to the needs to photographers who maintain a portfolio on their service, I want to scratch that itch for myself on Flickr - always playing by the rules of course!

BTW, most of my initial questions were answered here:

http://www.flickr.com/services/api/auth.spec.html

I wrote a small command line tool which generates the frob request and authentication URL for the browser with the returned frob as well as the request to retrieve the token. I figure if I limit access permissions to "read" and take a closer look how Windows 8 apps protect their internals in the app package, I might be within reasonable risk of putting the API key, secret and token locked onto my Flickr account into the app package. If I find that there's no way to securely hide away the credentials in the app package, I might just put a simple proxy web service that owns the credentials with the native app being client to that. I'll give that more though.

Tobias
Coordinator
Mar 3, 2014 at 6:59 AM
Ok, well that sounds ok. You did say that the images were only available via authentication, but perhaps you mean only the high res version. You do realise that no-one else can view the page of a private photo.

Why do you need to embed the token in the app though? Just design it so you can authenticate, and store that on the device (not in the app). Then anyone can use the app themselves, and you don't need to release separate apps per user (which just clogs the store and makes your app look like spam to be honest).

Also, the old authentication process has been depreciated, so you should use oath now. Also, go to my github page for a copy of the flickrnet library that works with windows 8.

https://github.com/samjudson/FlickrNet-Experimental

Also, Ive not had any issues using Flickr with IE11 on either a RT device or Window 8.1.