If you're new to Netflix's implementation of OAuth, please try the Netflix Authorization Walkthrough, at http://developer.netflix.com/walkthrough.
Also make sure you take a look at the Resources tab at the top of the page for additional OAuth information. You can also download Flixo, a Firefox plug-in that lets you "browse" the Netflix REST API, query its resources and view results without writing a line of code.
I have got the Objective-C OAuth code (which is setup for use on desktop MacOS X) working on the iPhone and talking to the Netflix API. There are a few things it needed and I'm blogging what I had to do at http://www.millicomputing.com - this is a "spare time" activity for me, its not an official Netflix supported platform or anything. More later....
After going through the documentation of OAuth Core 1.0 and through lots of trial and error I found out some points which I think are not properly documented here.
1. While generating the key for HMAC-SHA1 encryption the key should be a concatenation of your "Shared Secret" and Token Secret. For the first step in OAuth, while getting the unauthorized Request token you will not have a "Token Secret". But still you have to concatenate it(empty string) with your "Shared Secret" separated by a "&". (Eg: yoursharedsecret&)
2. The params in the signature base string should be alphabetically sorted.
Eg: oauth_consumer_key=<your api key>&oauth_nonce=something&oauth_signature_method=HMAC-SHA1&oauth_timestamp=123456789&oauth_version=0.1.
This whole string should be then UrlEncoded for UTF-8.
Eg: oauth_consumer_key%3Dp<your api key>%26oauth_nonce%3DXz6T9md3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1222972011%26oauth_version%3D1.0
3. The above mentioned params string should be then concatenated with the httpMethod, base url, params separated by "&"
Eg: GET&http%3A%2F%2Fapi.netflix.com%2Foauth%2Frequest_token&oauth_consumer_key%3Dp<your api key>%26oauth_nonce%3DXz6T9md3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1222972011%26oauth_version%3D1.0
4. This is then used as the data for the HMAC-SHA1 encryption and the key will be the one generated by step 1 above.
5. Then the final request url is prepared where oauth_signature parameter is added to the param list along with the other params. Params are obviously seperated by "&". The oauth_signature value must be UrlEncoded for UTF-8.
Eg: http://api.netflix.com/oauth/request_token?oauth_consumer_key=<your api key>&oauth_nonce=Xz6T9md3&oauth_signature_method=HMAC-SHA1&oauth_signature=ds2iD2xnBAPTGPvXQOfv5KP6Jj4%3D&oauth_timestamp=1222972011&oauth_version=1.0
On a successful GET request you will receive a string as response body.
Eg : oauth_token=sjevj&oauth_token_secret=7wjD2de&application_name=YourWonderfulApp&login_url=https%3A%2F%2Fapi-user.netflix.com%2Foauth%2Flogin%3Foauth_token%3Dsjevj
Make sure in the GET request that you make, you don't have "If-Modified-Since" header or set a value that is lesser than the default 1/1/1970 date. (for additional info on this see: http://developer.netflix.com/forum/read/28182).
Playing around with http://api.netflix.com/oauth/access_token it seems to give the same "Missing Required Consumer Key" no matter what parameters are passed in. Has anyone gotten this step to work?
I keep getting a 401 with (from wireshark):
GET /oauth/request_token?oauth_nonce=203148&oauth_signature_method=HMAC-SHA1&oauth_token=&oauth_timestamp=1223314760&oauth_consumer_key=<my key>&oauth_version=1.0&oauth_signature=oWvJg0%2Bg8cn8PY2YyASNEJIBTDs%3D HTTP/1.1
I am getting a 401 using the API. Here is the request:
GET http://api.netflix.com/oauth/request_token?oauth_consumer_key=<my key>&oauth_signature_method=HMACSHA1&oauth_timestamp=1223696646&oauth_nonce=7431429664365&oauth_signature=<SIG>
http://api.netflix.com/catalog/titles/movies/18704531?oauth_consumer_key=mabfqh6i3hdmbprtcp4m3xmt&oauth_nonce=679348014351483&oauth_signature_method=HMAC-SHA1&oauth_signature=JkfpxqeEXxA2eqjSZaiF%2B5eckQY%3D&oauth_timestamp=1226863772
<Some values changed in the parameters>
If I copy it directly into the browser, I get a 401 Unauthorized, Ruby spits out
/opt/local/lib/ruby/1.8/open-uri.rb:278:in `open_http': 403 Forbidden (OpenURI::HTTPError)
Here's the steps:
I create the signature (using consumer_key+"&") and create the url with the escaped signature
Don't try to get a token since I'm accessing a catalog method. The above url should just work. It works in Firefox, but maybe because I have Flixo installed and that is interfering.
Please offer any insights you can. i've already wasted too much time trying to get this to work without much success.
Also tried using the Ruby Gem but when I call get_request_token, I get a 400 "Bad Request"
gsharvard, have you seen http://mandarinsoda.com/2008/10/19/netflix-authentication-with-ruby-oauth/? It seems that the OAuth Ruby gem doesn't work with Netflix without the branch posted at http://github.com/rares/oauth/tree/master.
I've honestly read through the OAuth documentation as well as the Netflix walkthrough for using OAuth and I'm still getting hung up on step one. I'm not sure how I'm supposed to get the value I need to be using for the auth_signature parameter. I think I'm just missing something obvious here, but I'm actually getting more confused from re-reading the documentation and the above comments.
OAuth is a bit tricky to get your head around, but hopefully, here's a few things that may help:
1) If you want to do catalog searches, you don't need to get the User Authorization Token. Your APIKey (Consumer Key) and Shared Secret are all you need.
2) There was an error in our documentation. "auth_signature" is actually "oauth_signature" in one of the examples. I've corrected that.
3) Right now, we only handle HMAC-SHA1 signatures.
4) While it seems complicated, OAuth really boils down to a few things you need to include:
oauth_consumer_key: (The API Key you got from us when you registered)
oauth_timestamp: (The current universal time stamp in seconds. Usually available from something like "time();")
oauth_nonce: Nonsense crap. Seriously, just a few random characters will do here. It's just to make the URL unique and foil replay.
oauth_signature_method: HMAC-SHA1
oauth_signature: This is the hard bit. It's a value taken from the posting method (e.g. 'GET','POST', etc.), + the path (e.g. '/catalog/titles') + all the arguments with the keys and values having everything that's not a letter or a number escaped (e.g. 'foo=bar%20gorp&oauth_consumer_key=...')
Honestly, I'd use one of the OAuth libraries off the Resources page to generate that. I'd also suggest installing Flixo (also available off of the Resources page) as a "spot check" for values your code may be generating. (Kind of an advanced hint, Flixo will fill in missing values, and won't change values you specify. If you wanted, you can remove the "&oauth_signature=..." and it will recreate it from the values you specify.)
We hear you about how this is complicated, but honestly, it's still the best system out there for handling the trust issues. That said, we're happy to hear any suggestions you might have about how we can make this clearer or easier to understand.
JR, thanks for your info. I actually managed to get my head around it today after some sleep. I'm writing this all in a scripting language which has no native support for generating the SHA1 values. I ended up working around this by writing a PHP script to do the SHA1 work for me. I pass the data and key to the PHP script and the PHP script hands me back the value I need, in MIME format, for the oauth_signature. mIRC scripting was not built for this, but this was the biggest hurdle, everything else should be relatively easy now.
I'm starting to play around with the api. I've successfully gotten to the point of getting the request_token. However, when I try and exchange the request_token for the access_token I keep getting a 401 - Invalid Signature method. I've also tried obtaining the access_token / user_id from Flixo and using that to access a user queue, but I get the same error. Because I'm successfully getting the request token, it makes me believe that the problem is not with the HMAC-SHA1 algorithm, but something else.
Below is the SBS
using the key <shared_secret>&<request_secret>
GET
&http%3A%2F%2Fapi.netflix.com%2Foauth%2Faccess_token
&oauth_consumer_key%3D<api_key>
%26oauth_nonce%3D1110614947
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1228847130
%26oauth_token%<request_token>
%26oauth_version%3D1.0
First off, I'm hoping that you're not sending the Signature Base String as the request. It should be a normal URL (e.g. "http://api.netflix.com/oauth/access_token?oauth_consumer_key=...") (I don't think you are, but I just want to make sure). Another thing to watch out for is that the oauth_signature value is properly encoded. (e.g. all "+" or "/" characters are converted to "%hex" values. I also STRONGLY advise you to use "%20" instead of "+" for spaces).
Honestly, if at all possible, I suggest you use an OAuth Library to do the signature generation rather than trying to roll it yourself. Can I ask what language you're developing in?
You are right, I'm not sending the SBS as my request. I just thought I'd post it to double check that it was properly formed.
I'm developing the application in JavaME (equiv. to Java 1.3). Due to the limiting nature of JavaME, I'm generating the oauth_signature via python as a server request. I will look for an oAuth Lib in python. Right now I am rolling my own using the hmac.sha1 algorithms provided by the standard python libs.
I have a developer account that allows credential POSTing. I am trying to figure out how to use the login API to POST a username and password in order to login. This API https://api-user.netflix.com/oauth/login supports this capability, with these parameters:
Parameter
Description
name
The subscriber’s name.
password
The subscriber’s password.
accept_tos
Indicates the user TOS have been accepted this parameter is present. Default value is false.
oauth_token
A valid request token.
Question is, how do I use this is I don't have an oatuh_token? Also, can I pass the default value of false to accept_tos?
Apps are STRONGLY ENCOURAGED to use the browser based OAuth sign in process whenever possible. This will provide the users with a secure means of providing their account information without handing over their credentials to unknown parties.
Thanks JR. I guess what I'm asking for is a SIMPLE example of how to login a user and do some simple operations like requesting a queue or searching for a movie. I would love a "Hello Netflix" sample application. Flixo is confusing, and I frankly can't even get it to work on my computer. I want to start with a username and password, get authenticated, and retreive my test account queue for example. Is there no sample code to share as part of the API?
Ah, I see. The "PHP demo" I provide doesn't do the OAuth User Token dance, but does show the basic step you can use to get the information via PHP. I'd really recommend taking a look at the "Resources" page (see the tabs at the top) and reading Joseph Smarr's excellent tutorial on how to get the user token for the order of the fetches. OAuthSimple allows you to specify the signatures as one of the arguments to signing, but there are other libraries that allow similar approaches.
One of the challenges to providing sample source code is that the various OAuth libraries aren't horribly consistent between languages. That's why we generally prefer to point people toward good Mr. Smarr's article and leave the actual implementation portion as an exercise for the reader. (That said, I'd happily welcome anyone's offer to help create a multi-language, standardized OAuth library to make these sorts of tutorials possible, or even better, more folks to build language specific Netflix API libraries.)
Thanks. Do I also need the application name in the browserless login request? I'm getting an XML error response from login stating that the applicatio name is missing...
I suspect it's not well documented because Netflix doesn't want you to bypass the browser mechanism, but I believe you need to pass along application_name as well as callback (which can be blank). The application name *must* match the application name under the settings for your developer account. Exactly. Including capitalization (learned this one the hard way).
I am having a weird OAuth problem. I have two test accounts set up for my developer account. When I test my mobile application, no matter what credentials I enter (even incorrect ones) I always get queue, etc. information for the first test account I created. Is there something that I need to do to kill the session? I'm wondering if I'm always logged in as the first user because I'm not correctly logging out...
I'm working on a stand-alone app in Python and I'm going to be the only one to ever use it. So I'm trying to do a browserless login and I don't care about security issues. I can successfully get a request token and generate the OAuth Login Page, but I get a 401 Unauthorized http error on the access token. I believe this is because I'm not actually confirming that my account be linked to my app, by clicking the "Yes, Link This Account" button on the login page for example. I looked at the source for this page, and the url that is connected to upon confirmation is hidden.
1) Is there a url that I can connect to (most likely containing my account information) outside of the browser to do the confirmation?
2) Since I'm the only targeted user, can Netflix just give me an access token for my account that I can use indefinitely?
In short: no, you have to go through the browser page. Offering a way to get an access token without that page is a potential security risk.
On the plus side:
1. Your access token is indefinite. It lasts until you revoke it, (or if it's being used for something that violates our Terms of Service, but that's probably not the case here.)
2. You don't need to go through your app to get it. (You can use any other means, including the Walkthrough page, Flixo, or any other method you'd like.) The only thing you need is to make sure that you've fetched the access token using the same consumer key as your app.
For what it's worth, i do something similar to what you're doing. I used Flixo to fetch out my UserID, access token and secret and then run a few perl scripts against that to shuffle my movies around automatically.
Thank you for the quick response. I have already tried using an access token from the Walkthrough page, but that didn't work either. I went ahead and tried again right now just to be certain and it does not work. However, I've done the walkthrough several times, so maybe the first access token I generated is the only valid one.
I attempted to do the user dump as on the Authentication Overview Page, and this is the url that I formed using the access token from the walkthrough:
http://api.netflix.com/users/MySubscriberID?oauth_nonce=22970235&oauth_timestamp=1247439943&oauth_consumer_key=MyConsumerKey&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_token=MyAuthorizedToken&oauth_signature=JYxZ3CfRHxFtIxL5I5wqi%2FMC0RE%3D
As a side note, I am using the Python OAuth client library written my Leah Culver.
I'm having problems working through OAuth. I'm developing an application for an iPhone. My question is this:
I'm to the step where I ask the Subscriber to Login. In the URL, it asks for a "oauth_callback". I don't want to re-direct this to another website. This is just a standalone application on my iPhone. What do I put for "oauth_callback"?
The callback is invoked in the client browser, meaning that you can register the callback on the iphone. I'd suggest taking a look at the SDK documentation around the JavascriptCore API. There should be some examples of how to do what you want.
If you're new to Netflix's implementation of OAuth, please try the Netflix Authorization Walkthrough, at http://developer.netflix.com/walkthrough.
Also make sure you take a look at the Resources tab at the top of the page for additional OAuth information. You can also download Flixo, a Firefox plug-in that lets you "browse" the Netflix REST API, query its resources and view results without writing a line of code.
Message edited by Kent Brewster 1 month ago
Tags
Adrian – 1 year ago
I have got the Objective-C OAuth code (which is setup for use on desktop MacOS X) working on the iPhone and talking to the Netflix API. There are a few things it needed and I'm blogging what I had to do at http://www.millicomputing.com - this is a "spare time" activity for me, its not an official Netflix supported platform or anything. More later....
Adrian from Netflix
Adrian – 1 year ago
Start here: <a href=http://millicomputing.blogspot.com/2008/09/netflix-api-and-getting-oauth-to-work.html>Netflix API and OAuth Part 1</a>
Adrian – 1 year ago
OK, first Request for Enhancement to Adam and Mike - please let us embed URLs in forum posts somehow :-)
Adam Durfee – 1 year ago
Sorry about the no HTML - it's a limit of the current system. I'll see if something can be done.
JR Conlin – 1 year ago
For those looking for an in-depth discussion on how to do oAuth authentication with our API, I suggest reading Jospeh Smarr's excellent tutorial at:
http://josephsmarr.com/2008/10/01/using-netflixs-new-api-a-step-by-step-guide/
Sundar – 1 year ago
After going through the documentation of OAuth Core 1.0 and through lots of trial and error I found out some points which I think are not properly documented here.
1. While generating the key for HMAC-SHA1 encryption the key should be a concatenation of your "Shared Secret" and Token Secret. For the first step in OAuth, while getting the unauthorized Request token you will not have a "Token Secret". But still you have to concatenate it(empty string) with your "Shared Secret" separated by a "&". (Eg: yoursharedsecret&)
2. The params in the signature base string should be alphabetically sorted.
Eg: oauth_consumer_key=<your api key>&oauth_nonce=something&oauth_signature_method=HMAC-SHA1&oauth_timestamp=123456789&oauth_version=0.1.
This whole string should be then UrlEncoded for UTF-8.
Eg: oauth_consumer_key%3Dp<your api key>%26oauth_nonce%3DXz6T9md3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1222972011%26oauth_version%3D1.0
3. The above mentioned params string should be then concatenated with the httpMethod, base url, params separated by "&"
Eg: GET&http%3A%2F%2Fapi.netflix.com%2Foauth%2Frequest_token&oauth_consumer_key%3Dp<your api key>%26oauth_nonce%3DXz6T9md3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1222972011%26oauth_version%3D1.0
4. This is then used as the data for the HMAC-SHA1 encryption and the key will be the one generated by step 1 above.
5. Then the final request url is prepared where oauth_signature parameter is added to the param list along with the other params. Params are obviously seperated by "&". The oauth_signature value must be UrlEncoded for UTF-8.
Eg: http://api.netflix.com/oauth/request_token?oauth_consumer_key=<your api key>&oauth_nonce=Xz6T9md3&oauth_signature_method=HMAC-SHA1&oauth_signature=ds2iD2xnBAPTGPvXQOfv5KP6Jj4%3D&oauth_timestamp=1222972011&oauth_version=1.0
On a successful GET request you will receive a string as response body.
Eg : oauth_token=sjevj&oauth_token_secret=7wjD2de&application_name=YourWonderfulApp&login_url=https%3A%2F%2Fapi-user.netflix.com%2Foauth%2Flogin%3Foauth_token%3Dsjevj
Make sure in the GET request that you make, you don't have "If-Modified-Since" header or set a value that is lesser than the default 1/1/1970 date. (for additional info on this see: http://developer.netflix.com/forum/read/28182).
Thanks,
Sundar
Kallahar – 1 year ago
I'm unable to get http://api.netflix.com/oauth/access_token to work.
I'm using http://oauth.googlecode.com/svn/code/php/ but I don't think that's where the problem lies
http://api.netflix.com/oauth/access_token
?auth_version=1.0
&oauth_nonce=b0ae008de9a28ff1931ff4ec2b41d420
&oauth_timestamp=1223052691
&oauth_consumer_key=3z44pnwc4ynrxrba9btk8x7c
&oauth_token=z75x9cpzqv5ksrt7dmt3eg5n
&oauth_signature_method=HMAC-SHA1
&oauth_signature=ypZtXEa...MI%3D
(some values changed)
But when I use curl to fetch the results using a GET, I get "Missing Required Consumer Key"
Kallahar
Kallahar – 1 year ago
Playing around with http://api.netflix.com/oauth/access_token it seems to give the same "Missing Required Consumer Key" no matter what parameters are passed in. Has anyone gotten this step to work?
Kallahar
Kallahar – 1 year ago
Well I'm retarded, I had the wrong consumer key in my code. The error message should probably read "Missing or Invalid Consumer Key" though.
Keith Larrimore – 1 year ago
I keep getting a 401 with (from wireshark):
GET /oauth/request_token?oauth_nonce=203148&oauth_signature_method=HMAC-SHA1&oauth_token=&oauth_timestamp=1223314760&oauth_consumer_key=<my key>&oauth_version=1.0&oauth_signature=oWvJg0%2Bg8cn8PY2YyASNEJIBTDs%3D HTTP/1.1
Connection: close
Accept: */*
Host: api.netflix.com
HTTP/1.1 401 Unauthorized
Connection: close
X-Lighty-Magnet-Uri-Path: /oauth/request_token
X-Powered-By: PHP/5.2.6
X-Mashery-Responder: mashery-1.cust.iad.llnw.net
X-Mashery-Error-Code: ERR_403_NOT_AUTHORIZED
Content-type: text/html;charset=utf-8
Accept-Ranges: bytes
Content-Length: 17
Date: Mon, 06 Oct 2008 17:38:12 GMT
Server: lighttpd/1.4.19
Invalid signature
and I'm using the correct key... any ideas?
JR Conlin – 1 year ago
Try not passing the empty "oauth_token" value and make sure you're signing with just your shared secret.
Kevin Landry – 1 year ago
I am getting a 401 using the API. Here is the request:
GET http://api.netflix.com/oauth/request_token?oauth_consumer_key=<my key>&oauth_signature_method=HMACSHA1&oauth_timestamp=1223696646&oauth_nonce=7431429664365&oauth_signature=<SIG>
and this is the response I am seeing:
HTTP response=HTTP/1.1 401 Unauthorized
X-Lighty-Magnet-Uri-Path: /oauth/request_token
X-Powered-By: PHP/5.2.6
X-Mashery-Responder: mashery-1.cust.sjc.llnw.net
X-Mashery-Error-Code: ERR_403_NOT_AUTHORIZED
Content-type: text/html;charset=utf-8
Accept-Ranges: bytes
Content-Length: 20
Date: Sat, 11 Oct 2008 06:23:08 GMT
Server: lighttpd/1.4.19
Timestamp is invalid, HTTP status=401, Timestamp is invalid=null, HTTP request headers=GET http://api.netflix.com/oauth/request_token?oauth_consumer_key=<MY KEY>&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1223696646&oauth_nonce=7431429664365&oauth_signature=<SIG>
Any thoughts?
Michael Hart – 1 year ago
You're passing an invalid timestamp. Tip: You can use the timestamp in the error response to sync your application time if necessary.
gsharvard – 1 year ago
http://api.netflix.com/catalog/titles/movies/18704531?oauth_consumer_key=mabfqh6i3hdmbprtcp4m3xmt&oauth_nonce=679348014351483&oauth_signature_method=HMAC-SHA1&oauth_signature=JkfpxqeEXxA2eqjSZaiF%2B5eckQY%3D&oauth_timestamp=1226863772
<Some values changed in the parameters>
If I copy it directly into the browser, I get a 401 Unauthorized, Ruby spits out
/opt/local/lib/ruby/1.8/open-uri.rb:278:in `open_http': 403 Forbidden (OpenURI::HTTPError)
Here's the steps:
I create the signature (using consumer_key+"&") and create the url with the escaped signature
Don't try to get a token since I'm accessing a catalog method. The above url should just work. It works in Firefox, but maybe because I have Flixo installed and that is interfering.
Please offer any insights you can. i've already wasted too much time trying to get this to work without much success.
Also tried using the Ruby Gem but when I call get_request_token, I get a 400 "Bad Request"
txt2trade – 12 months ago
gsharvard, have you seen http://mandarinsoda.com/2008/10/19/netflix-authentication-with-ruby-oauth/? It seems that the OAuth Ruby gem doesn't work with Netflix without the branch posted at http://github.com/rares/oauth/tree/master.
Daniel – 12 months ago
I've honestly read through the OAuth documentation as well as the Netflix walkthrough for using OAuth and I'm still getting hung up on step one. I'm not sure how I'm supposed to get the value I need to be using for the auth_signature parameter. I think I'm just missing something obvious here, but I'm actually getting more confused from re-reading the documentation and the above comments.
JR Conlin – 12 months ago
Hi Daniel,
OAuth is a bit tricky to get your head around, but hopefully, here's a few things that may help:
1) If you want to do catalog searches, you don't need to get the User Authorization Token. Your APIKey (Consumer Key) and Shared Secret are all you need.
2) There was an error in our documentation. "auth_signature" is actually "oauth_signature" in one of the examples. I've corrected that.
3) Right now, we only handle HMAC-SHA1 signatures.
4) While it seems complicated, OAuth really boils down to a few things you need to include:
oauth_consumer_key: (The API Key you got from us when you registered)
oauth_timestamp: (The current universal time stamp in seconds. Usually available from something like "time();")
oauth_nonce: Nonsense crap. Seriously, just a few random characters will do here. It's just to make the URL unique and foil replay.
oauth_signature_method: HMAC-SHA1
oauth_signature: This is the hard bit. It's a value taken from the posting method (e.g. 'GET','POST', etc.), + the path (e.g. '/catalog/titles') + all the arguments with the keys and values having everything that's not a letter or a number escaped (e.g. 'foo=bar%20gorp&oauth_consumer_key=...')
Honestly, I'd use one of the OAuth libraries off the Resources page to generate that. I'd also suggest installing Flixo (also available off of the Resources page) as a "spot check" for values your code may be generating. (Kind of an advanced hint, Flixo will fill in missing values, and won't change values you specify. If you wanted, you can remove the "&oauth_signature=..." and it will recreate it from the values you specify.)
We hear you about how this is complicated, but honestly, it's still the best system out there for handling the trust issues. That said, we're happy to hear any suggestions you might have about how we can make this clearer or easier to understand.
Daniel – 12 months ago
JR, thanks for your info. I actually managed to get my head around it today after some sleep. I'm writing this all in a scripting language which has no native support for generating the SHA1 values. I ended up working around this by writing a PHP script to do the SHA1 work for me. I pass the data and key to the PHP script and the PHP script hands me back the value I need, in MIME format, for the oauth_signature. mIRC scripting was not built for this, but this was the biggest hurdle, everything else should be relatively easy now.
Kris Shinn – 11 months ago
I'm starting to play around with the api. I've successfully gotten to the point of getting the request_token. However, when I try and exchange the request_token for the access_token I keep getting a 401 - Invalid Signature method. I've also tried obtaining the access_token / user_id from Flixo and using that to access a user queue, but I get the same error. Because I'm successfully getting the request token, it makes me believe that the problem is not with the HMAC-SHA1 algorithm, but something else.
Below is the SBS
using the key <shared_secret>&<request_secret>
GET
&http%3A%2F%2Fapi.netflix.com%2Foauth%2Faccess_token
&oauth_consumer_key%3D<api_key>
%26oauth_nonce%3D1110614947
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1228847130
%26oauth_token%<request_token>
%26oauth_version%3D1.0
Any ideas?
JR Conlin – 11 months ago
First off, I'm hoping that you're not sending the Signature Base String as the request. It should be a normal URL (e.g. "http://api.netflix.com/oauth/access_token?oauth_consumer_key=...") (I don't think you are, but I just want to make sure). Another thing to watch out for is that the oauth_signature value is properly encoded. (e.g. all "+" or "/" characters are converted to "%hex" values. I also STRONGLY advise you to use "%20" instead of "+" for spaces).
Honestly, if at all possible, I suggest you use an OAuth Library to do the signature generation rather than trying to roll it yourself. Can I ask what language you're developing in?
Kris Shinn – 11 months ago
You are right, I'm not sending the SBS as my request. I just thought I'd post it to double check that it was properly formed.
I'm developing the application in JavaME (equiv. to Java 1.3). Due to the limiting nature of JavaME, I'm generating the oauth_signature via python as a server request. I will look for an oAuth Lib in python. Right now I am rolling my own using the hmac.sha1 algorithms provided by the standard python libs.
cannadbt – 10 months ago
I just finished up a Silverlight tutorial where I used a small C# OAuth wrapper that I would recommend for any C# developers.
OAuth Wrapper: http://devblog.yedda.com/index.php/2007/10/18/oauth-c-basic-library/
Tutorial: http://www.switchonthecode.com/tutorials/silverlight-and-the-netflix-api
Thinking Ahead LLC – 10 months ago
Hi,
I am trying to use oauth with the rares-branch Ruby gem. I keep getting the error:
instance of OAuth::Consumer needs to have method `marshal_load'
My code, activate.rb is below. Any thoughts?
require 'oauth/consumer'
def index
@consumer = OAuth::Consumer.new("CONSUMER KEY","CONSUMER SECRET", {
:site => "http://api.netflix.com",
:request_token_url => "https://api-user.netflix.com/oauth/request_token",
:access_token_url => "http://api.netflix.com/oauth/access_token",
:authorize_url => "https://api-user.netflix.com/oauth/login",
:application_name => "AppName"})
@request_token = @consumer.get_request_token
session[:request_token]=@request_token
session[:request_token_secret]=@request_token.secret
@authorize_url = @request_token.authorize_url({
:oauth_consumer_key => "CONSUMER KEY"
:application_name => "AppName",
:oauth_callback => "http://localhost:3000/activate/callback"
})
redirect_to @authorize_url
end
def callback
@request_token=OAuth::RequestToken.new(session[:request_token],
session[:request_token_secret])
@access_token = @request_token.get_access_token
end
Robert Burdick – 9 months ago
Hello:
I have a developer account that allows credential POSTing. I am trying to figure out how to use the login API to POST a username and password in order to login. This API https://api-user.netflix.com/oauth/login supports this capability, with these parameters:
Parameter
Description
name
The subscriber’s name.
password
The subscriber’s password.
accept_tos
Indicates the user TOS have been accepted this parameter is present. Default value is false.
oauth_token
A valid request token.
Question is, how do I use this is I don't have an oatuh_token? Also, can I pass the default value of false to accept_tos?
JR Conlin – 9 months ago
Apps are STRONGLY ENCOURAGED to use the browser based OAuth sign in process whenever possible. This will provide the users with a secure means of providing their account information without handing over their credentials to unknown parties.
Robert Burdick – 9 months ago
Thanks JR. I guess what I'm asking for is a SIMPLE example of how to login a user and do some simple operations like requesting a queue or searching for a movie. I would love a "Hello Netflix" sample application. Flixo is confusing, and I frankly can't even get it to work on my computer. I want to start with a username and password, get authenticated, and retreive my test account queue for example. Is there no sample code to share as part of the API?
JR Conlin – 9 months ago
Ah, I see. The "PHP demo" I provide doesn't do the OAuth User Token dance, but does show the basic step you can use to get the information via PHP. I'd really recommend taking a look at the "Resources" page (see the tabs at the top) and reading Joseph Smarr's excellent tutorial on how to get the user token for the order of the fetches. OAuthSimple allows you to specify the signatures as one of the arguments to signing, but there are other libraries that allow similar approaches.
One of the challenges to providing sample source code is that the various OAuth libraries aren't horribly consistent between languages. That's why we generally prefer to point people toward good Mr. Smarr's article and leave the actual implementation portion as an exercise for the reader. (That said, I'd happily welcome anyone's offer to help create a multi-language, standardized OAuth library to make these sorts of tutorials possible, or even better, more folks to build language specific Netflix API libraries.)
Michael Hart – 9 months ago
Robert, BTW the "token" required for sign-in is the REQUEST token you obtained in the first step of the OAuth handshake.
Robert Burdick – 9 months ago
Thanks. Do I also need the application name in the browserless login request? I'm getting an XML error response from login stating that the applicatio name is missing...
Kirsten Jones – 9 months ago
I suspect it's not well documented because Netflix doesn't want you to bypass the browser mechanism, but I believe you need to pass along application_name as well as callback (which can be blank). The application name *must* match the application name under the settings for your developer account. Exactly. Including capitalization (learned this one the hard way).
Robert Burdick – 8 months ago
Hello everyone:
I am having a weird OAuth problem. I have two test accounts set up for my developer account. When I test my mobile application, no matter what credentials I enter (even incorrect ones) I always get queue, etc. information for the first test account I created. Is there something that I need to do to kill the session? I'm wondering if I'm always logged in as the first user because I'm not correctly logging out...
Alan Castro – 8 months ago
Hi everyone,
I'm having some problem to post a disc in a queue using the API.
I've been using GET and DELETE with success, but when I make the POST calls it just doesn't work.
What's the difference between POST and GET signature signing? Is it just the http method name in the SBS?
Thanks!
Alan Castro – 8 months ago
Oh it was a encoding problem :/
fixed it!
uacsdev1101 – 4 months ago
I'm working on a stand-alone app in Python and I'm going to be the only one to ever use it. So I'm trying to do a browserless login and I don't care about security issues. I can successfully get a request token and generate the OAuth Login Page, but I get a 401 Unauthorized http error on the access token. I believe this is because I'm not actually confirming that my account be linked to my app, by clicking the "Yes, Link This Account" button on the login page for example. I looked at the source for this page, and the url that is connected to upon confirmation is hidden.
1) Is there a url that I can connect to (most likely containing my account information) outside of the browser to do the confirmation?
2) Since I'm the only targeted user, can Netflix just give me an access token for my account that I can use indefinitely?
JR Conlin – 4 months ago
In short: no, you have to go through the browser page. Offering a way to get an access token without that page is a potential security risk.
On the plus side:
1. Your access token is indefinite. It lasts until you revoke it, (or if it's being used for something that violates our Terms of Service, but that's probably not the case here.)
2. You don't need to go through your app to get it. (You can use any other means, including the Walkthrough page, Flixo, or any other method you'd like.) The only thing you need is to make sure that you've fetched the access token using the same consumer key as your app.
For what it's worth, i do something similar to what you're doing. I used Flixo to fetch out my UserID, access token and secret and then run a few perl scripts against that to shuffle my movies around automatically.
Does that help?
uacsdev1101 – 4 months ago
Thank you for the quick response. I have already tried using an access token from the Walkthrough page, but that didn't work either. I went ahead and tried again right now just to be certain and it does not work. However, I've done the walkthrough several times, so maybe the first access token I generated is the only valid one.
I attempted to do the user dump as on the Authentication Overview Page, and this is the url that I formed using the access token from the walkthrough:
http://api.netflix.com/users/MySubscriberID?oauth_nonce=22970235&oauth_timestamp=1247439943&oauth_consumer_key=MyConsumerKey&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_token=MyAuthorizedToken&oauth_signature=JYxZ3CfRHxFtIxL5I5wqi%2FMC0RE%3D
As a side note, I am using the Python OAuth client library written my Leah Culver.
Geoff P – 1 month ago
I'm having problems working through OAuth. I'm developing an application for an iPhone. My question is this:
I'm to the step where I ask the Subscriber to Login. In the URL, it asks for a "oauth_callback". I don't want to re-direct this to another website. This is just a standalone application on my iPhone. What do I put for "oauth_callback"?
thanks in advanced!
Geoff P.
JR Conlin – 1 month ago
The callback is invoked in the client browser, meaning that you can register the callback on the iphone. I'd suggest taking a look at the SDK documentation around the JavascriptCore API. There should be some examples of how to do what you want.
Tim – 1 month ago
Does anyone have an example of getting the OAuth to work in Objective-C. I would appreciate any help.
Adrian – 1 month ago
Last year I blogged some info on getting Netflix OAuth working on the iPhone
http://millicomputing.blogspot.com/2008/10/netflix-api-netflix-specific-oauth.html
I have some updated code that I could post if you need more hints.
My app is Instant Queue Add for Netflix - new and much improved V5 is about to hit the app store.
Geoff P – 1 month ago
Simple question on OAuth:
Should my oauth_token returned to me after I Request Token be the same as the oauth_token I receive in my callback URL?
thanks!
Tim – 1 month ago
I would love to see your updated code, if possible. The URL you listed has also been a great help.
Thanks for the help