legacy-api-documentation icon indicating copy to clipboard operation
legacy-api-documentation copied to clipboard

Published 20 hours ago verified publisher icon 500px

How do you make an authenticated request?

Open jescalan opened this issue 11 years ago • 3 comments

I'm sorry, I feel like an absolute idiot for asking this, but I am straight up unable to figure out how to make an authenticated request to this API. I have burned numerous hours trying to figure this out and just got back empty responses with 401 error codes that are entirely unhelpful in me figuring out where I have gone wrong.

So first approach I made was using OAuth headers. The request looked like this:

url: 'https://api.500px.com/v1/users/'
headers: 
  Authorization: 'OAuth oauth_consumer_key="xxx",oauth_token="xxx"'

Both the consumer key and the oauth token are entirely valid. I have also tried including the other shenanigans oauth keys like "signature method" etc to no avail. Since I want to use the API for personal use, and since it only needs a single test key for testing the library I'm working on, I grabbed the token from Grant, since this means I didn't have to set up my own authorization pipeline from scratch for the purpose of obtaining a single token (that being said, providing a personal access token with the app as twitter does would be incredibly useful). This is returning a blank response with a 401 status code, even though the header format appears to be valid and my consumer key and token are valid.

Next, I tried adding these as querystrings to the url directly. So the request looked like this:

url: 'https://api.500px.com/v1/users?oauth_token=xxx&consumer_key=xxx'

Now, this behaved in a very strange manner. When I was in my main browser in which I'm logged in to 500px, it returns the response correctly, which was exciting. However, in an incognito browser, it returns a blank 401, and it's the same when running from a script, as I assume there was some sort of strange cookie pull for the authentication.

If someone could just provide me with an example of what an authenticated request would look like, this would be immensely helpful. If anyone can do this and I can get past this strange auth issue with the API, I will publish a fully implemented node API wrapper for the 500px api, fully tested and at 100% coverage, and will maintain it, because I need to use this. Please?

jescalan avatar Nov 12 '14 04:11 jescalan

If you're looking to see what an OAuth request looks like, take a look at the API Console, at the top of the console select the authentication method and change it to OAuth. You will be redirected to the authorization page on 500px to authorize the console to access your account and then returned to the console. From there when you make a request to /users you can look at the request url and headers. It's using OAuth v1 to sign the request.

Once you have an access token and access token secret for a user by going through the OAuth authorization flow, you need an OAuth consumer to sign each request that you want to make authenticated as the user with the access token, access token secret, consumer key and consumer secret. If you don't need to be authenticated as the user you can just append consumer_key=xxx to your requests. You may want to use an OAuth consumer like node-oauth as signing is a little complex.

lkorth avatar Dec 18 '14 06:12 lkorth

Hi @lkorth -- thanks for the response! I have spent quite a bit of time with the API console, down to directly exactly replicating it's headers and such, and am still unable to make an authenticated request. What's worse is that it just sends back an empty 401, so I have no idea what was wrong or how to go about starting to fix it. Is there any way that you could help me (and potentially others) out by writing a short snippet of code that would make an authenticated request, that you have verified as working?

Like, just a curl command even would be wonderful. Or an example with request, since you suggested a node auth library and I am using node for this anyway :grinning:

I have spent a lot of time working with a large number of APIs, and I've never had so much difficulty working with one as I've had with this one. I'm sure it's on OAuth and not you guys, but I'm a pretty experienced developer and have spent hours trying to get this to work to no avail. I'm sure having an example down would help others in the future as well as myself!

jescalan avatar Dec 18 '14 20:12 jescalan

To be clear, I don't work for 500px.

I recommend using a library for the signing if you are not intricately familiar with the OAuth 1 protocol. In the example request you provided that didn't work, you were missing a few headers or params on the query string, namely the oauth_timestamp which should be the current timestamp of the request, oauth_nonce a value that should be unique across requests and oauth_signature.

These are all the headers or params that should be included in every request. Keep in mind that the url is signed and you cannot change it or reuse the same request more than once.

Authorization: OAuth
    oauth_consumer_key="CONSUMER_KEY",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="TIMESTAMP",
    oauth_nonce="NONCE",
    oauth_version="1.0",
    oauth_token="TOKEN",
    oauth_signature="SIGNATURE"

Due to what is involved in making a request I don't know of any simple curl + bash script to generate a working example, but you can use LinkedIn's OAuth Test Console to play with the params more.

lkorth avatar Dec 31 '14 22:12 lkorth