OAuth FAQ

If you have questions about OAuth, or are having trouble getting it to work, you might find an answer to your question here. If not, you can email us and we will help you out.

Why does my request fail with "The user has not granted the required permissions"?

When you request authorization to access a SmugMug user's account (by redirecting them to the /authorize endpoint), you are also requesting a specific level of access. There are two query parameters which can be added to the /authorize URL to change the level of access being requested.

If you don't send one or both of those parameters, you get the default level instead. In both cases, the default is the lowest level, so if you are getting the default level unintentionally, it may be a lower level of access than your application needs to work.

Also, note that once the user has granted authorization to your application, you can't change the level of access by making a new authorization request. At that point, only the user can change the level of access, which they can do in Account Settings.

Why does my request fail with "oauth_problem=parameter_absent"?

There are many required parameters when making an OAuth request, and you will see this message if any of them are missing. However, the most common cause of this problem is the result of the difference between the two revisions of the OAuth 1.0 standard. The two versions are called 1.0 and 1.0a. Note that RFC 5849 is the same as OAuth 1.0a, even though the title of the RFC is just "OAuth 1.0".

We highly recommend that you use OAuth 1.0a. If you are using the 1.0a endpoints, then you must pass an oauth_callback parameter to the getRequestToken endpoint. If you are porting code that used OAuth 1.0, it may not be sending an oauth_callback parameter, which would cause the error parameter_absent.

Why is the authorization page not redirecting back to my application like it should?

If you find that clicking the "Authorize" button on the authorization page appears to do nothing, you are probably trying to pass your callback URL dynamically via an oauth_callback parameter to the deprecated OAuth 1.0 getRequestToken endpoint. For security reasons, SmugMug does not allow dynamic callbacks when using OAuth 1.0. You can solve this problem by switching to OAuth 1.0a.

Why does my request fail with "oauth_problem=signature_invalid"?

OAuth requests are signed to catch problems that corrupt your request, such as network errors or man-in-the-middle attacks. The signature you calculate must match the signature that SmugMug calculates, or the request fails.

The signing algorithm must be followed precisely, because even a small difference in the input to the algorithm will result in a different signature. For this reason, we highly recommend that you use an off-the-shelf library to make your OAuth requests.

If you are having trouble with signatures, here are some things to check:

  1. Is your oauth_signature being percent-encoded? OAuth signatures use base64 encoding, which can produce some special characters that need to be percent-encoded in the Authorization header or in the URL query string.
  2. Does your request URI have an empty path? In the case of SmugMug, this would probably be https://upload.smugmug.com. If so, use / as the path instead: https://upload.smugmug.com/.
  3. Does your request URI have any uppercase letters in the hostname? If so, change them to lowercase. For example, you should change https://api.SmugMug.com/api/v2 to https://api.smugmug.com/api/v2.
  4. Are you making a POST or PATCH request? If so, are you sending the right Content-Type header? For example, if you are sending JSON in the request body, the Content-Type header should be application/json.