BIG Changes in the Flickr API

Stewart just posted about “big”—that’s the word he used—changes to the Flickr API. The major change is in the authentication API—something that I was expecting will happen (now that they’re part of Yahoo!).

So, briefly, this is how authentication will work:

• In addition to the API key, Flickr will issue a shared secret to each application/library.
• Whenever an application requires authentication, it goes through http://flickr.com/services/auth/. Here, the application has to pass an “API signature”, in addition to whatever other parameters. No user credentials are passed here.
• If the user is not already logged in to Flickr, he’s asked to. And then he’s asked whether he wishes to be authenticated against the application.
• The user can then choose to grant permissions to the application—read, write, delete.
• Once all this is done, the user is redirected to the “callback URL”—which is registered with the API key. (The return from authentication from non web-based applications is slightly different.)

The important thing? Users don’t type their credentials in the app itself. One of the reasons for doing this is to prevent phishing. I’m sure there’s been some Yahoo! influence here: we’re paranoid about such things.

Oh, yeah, another interesting thing Stewart mentioned:

...
The second reason is that eventually we'll have users who don't know/don't have Flickr credentials. For example, we'd like to be able to let people sign in to Flickr with their Yahoo IDs and transparently create accounts. Those users won't have a Flickr email/pass, but they should be able to still use API-based apps that require authentication.
...

That shouldn’t be surprising, no?

I’m gonna have to redo flickr-ruby when I get time. (The old style will continue to work for some time, though.)

• Mini Sitemap:

• Post to Journal
• Downloads

• LJ Gift Shop
• Safety Tips

• Support & FAQs
• Be a Support Volunteer

• Feedback & Contact Us
• Report Abuse

• Site News
• More... (Full Sitemap)