Re: [Flickr APIs] new authentication api

This is a major improvement, URL redirection would be very useful and
limiting the need to frequently pass personal data is important. My only
concern with URL redirection and the replacement of login data with the auth
token for edit actions - are security considerations. Conceivably it would
allow an api_key to be easily 'hijacked' and used by someone who doesn't
have one to compromise personal details - whilst masquerading as the
original application. This could be limited in closed source applications by
demanding that an application specific 'secret' token is returned with the
second confirmation call for verification (but I get the impression this
second call has been done away with?)...

// Jacob


On 20/8/04 1:45 am, Cal Henderson wrote:

> the major difference from the old auth api is it
> lets you define the return url dynamically, so you
> can include custom data in it, or more importantly,
> build it into an installed product and have the
> auth bounce back to the installation being used
> (think 'wordpress') without needing an api_key for
> each installation.
> 
> once the token is recieved, then the full api can
> be used, without ever having to get the user to
> input their login details anywhere but flickr.com