Help with Tumblr API keys
January 13, 2013 12:55 PM Subscribe
When using the Tumblr API, how exactly do I get the 'access_token' and 'access_secret' keys I need to post through my account via a script.
Howdy. I'm trying to set up a PHP script that will let me take content I've queued up and post it at regular intervals. Problem is I don't really know what I'm doing. Here's where I am at:
I have registered an app with Tumblr and saved my consumer_key and consumer_secret
I have found the following php function that seems to be what I'm looking for.
To use that function I need to have my 'access_token' and 'access_secret' keys. My understanding is that these keys are generated when you are logged in to tumblr and then give permission to an app to access your account. But I don't understand how to do that exactly. Basically I have a flat php script that runs off cron job and assumes you have that info already. How do I write a simple tool for my app that lets me jump through the hoop of explicitly giving my app permission and saving the resulting tokens?
I see people mentioning the "3-legged oauth authentication" routine, which I strongly suspect is what I'm looking for, but I can't seem to find an explanation on how exactly to do through that simple enough that I can grok it.
Anyone care to explain it in a way that could be understood by someone who's a moderately PHP literate adult, but doesn't understand much of anything else.
Howdy. I'm trying to set up a PHP script that will let me take content I've queued up and post it at regular intervals. Problem is I don't really know what I'm doing. Here's where I am at:
I have registered an app with Tumblr and saved my consumer_key and consumer_secret
I have found the following php function that seems to be what I'm looking for.
To use that function I need to have my 'access_token' and 'access_secret' keys. My understanding is that these keys are generated when you are logged in to tumblr and then give permission to an app to access your account. But I don't understand how to do that exactly. Basically I have a flat php script that runs off cron job and assumes you have that info already. How do I write a simple tool for my app that lets me jump through the hoop of explicitly giving my app permission and saving the resulting tokens?
I see people mentioning the "3-legged oauth authentication" routine, which I strongly suspect is what I'm looking for, but I can't seem to find an explanation on how exactly to do through that simple enough that I can grok it.
Anyone care to explain it in a way that could be understood by someone who's a moderately PHP literate adult, but doesn't understand much of anything else.
Best answer: I made this script, which I hope will be helpful. All you need is your consumer key and consumer secret (which you can find on the Tumblr API Application page). It'll guide you through the process of authorizing your application, picking through the callback query string, and parsing the subsequent request to fetch the access token and access token secret.
The script is written in Python. It's heavily based on this example from the LinkedIn developer docs—they also provide a PHP example, if you're interested in making your own tool in PHP.
By way of explanation, the basic flow of OAuth v1 authentication is something like this:
(1) Your application gets a "request token" from the API's request token URL, which you append to the remote service's "authorize" URL.
(2) The user (in this case, you) goes to the "authorize" URL, with request token information on the URL; the remote service then displays a web page which allows the user to grant your application access to their account.
(3) The remote service then redirects the user to your application's "callback URL," including an OAuth "verifier" on the query string.
(4) Using a combination of the request token and the verifier string, your application can then request an actual access token from the remote service.
The above steps don't seem all that complicated, but the difficult part is that each of those requests from your application to the remote service need to include a signature. (The "signature" in this case is basically a big hash that verifies the integrity of the request, to prevent repetition and man-in-the-middle attacks.) Generating the signature is tricky and is best left to pre-baked libraries.
Also, don't feel bad for not understanding all of this on your first try—OAuth v1 is an complicated, almost rube goldbergian standard that baffles users and developers alike.
posted by aparrish at 9:01 PM on January 13, 2013
The script is written in Python. It's heavily based on this example from the LinkedIn developer docs—they also provide a PHP example, if you're interested in making your own tool in PHP.
By way of explanation, the basic flow of OAuth v1 authentication is something like this:
(1) Your application gets a "request token" from the API's request token URL, which you append to the remote service's "authorize" URL.
(2) The user (in this case, you) goes to the "authorize" URL, with request token information on the URL; the remote service then displays a web page which allows the user to grant your application access to their account.
(3) The remote service then redirects the user to your application's "callback URL," including an OAuth "verifier" on the query string.
(4) Using a combination of the request token and the verifier string, your application can then request an actual access token from the remote service.
The above steps don't seem all that complicated, but the difficult part is that each of those requests from your application to the remote service need to include a signature. (The "signature" in this case is basically a big hash that verifies the integrity of the request, to prevent repetition and man-in-the-middle attacks.) Generating the signature is tricky and is best left to pre-baked libraries.
Also, don't feel bad for not understanding all of this on your first try—OAuth v1 is an complicated, almost rube goldbergian standard that baffles users and developers alike.
posted by aparrish at 9:01 PM on January 13, 2013
Response by poster: Hey, thanks much for taking the time to help. I started trying to work things through with pla's links but once you posted your script aparrish I decided to try that out (which meant installing python and figuring out how to get oauth2 installed, which was kinda tricky for a newbie :)
It seemed to work (in as much as it gave me two keys that look like what I'd expect), but alas my script (the one I linked to) just keeps spitting out: {"meta":{"status":401,"msg":"Not Authorized"},"response":[]} ".
So I dunno if I got the keys wrong, or if something else is broken. Perhaps this is just out of my league for the time being. =\
posted by Jezztek at 10:42 PM on January 13, 2013
It seemed to work (in as much as it gave me two keys that look like what I'd expect), but alas my script (the one I linked to) just keeps spitting out: {"meta":{"status":401,"msg":"Not Authorized"},"response":[]} ".
So I dunno if I got the keys wrong, or if something else is broken. Perhaps this is just out of my league for the time being. =\
posted by Jezztek at 10:42 PM on January 13, 2013
Response by poster: Second update. Welp, it looks like I got everything to work (I think... ). Basically I tossed out the script I has glommed on to and instead just started reading in an attempt to build the most basic version I could imagine from the bottom up instead of using a pre-made script. And what do you know, hard work actually paid off for once.
Thanks again!
posted by Jezztek at 2:57 AM on January 14, 2013
Thanks again!
posted by Jezztek at 2:57 AM on January 14, 2013
This thread is closed to new comments.
Less straightforward (since you'll need to modify these, but perhaps more what you want since they will work programmatically), I found about a dozen scripts to do it for Twitter (such as this or this). You could likely adapt them for Tumblr without much effort.
As for the explanation, you can always do worse than going right to the spec. But in this case, I found one better... An unofficial OAuth for Dummies overview (no personal sleight intended). :)
posted by pla at 2:42 PM on January 13, 2013