Starting with FotoWeb feature release 12 (build 8.0.850), integrations using the FotoWeb widgets should use OAuth 2.0.
This is described in Using Embeddable Widgets.
The methods described in this article exist for backward compatibility only.
Existing integrations written for older FotoWeb versions will continue to work, provided that the "Enable Legacy Widget Integrations" option is enabled in the site settings (under Applications). For sites that do not use any integrations of this kind, we recommend leaving this option disabled.
We recommend updating existing integrations to use the new method.
The legacy methods of authorizing widgets to access FotoWeb have the following minor security risks:
- The selection widget may be embedded by arbitrary web sites, including malicious sites. Although there is no way for a malicious site to obtain an access token in this way, the malicious site may get access to data about selected assets.
- The legacy method of interactive authentication involves opening the FotoWeb login page in an IFRAME, thus making legitimate apps using the FotoWeb widgets harder to distinguish from phishing sites that are impersonating the FotoWeb login page to steal passwords or attempting to gain authorization via clickjacking attacks.
- The export widget, when used in the legacy way, is vulnerable to cross-site request forgery (CSRF). While nothing harmful can be done using this attack, it is always better to prevent cross-site attacks altogether.
Note that these security risks are present both in older and newer versions of FotoWeb. The use of OAuth 2.0 in newer versions neither increases nor mitigates these risks.
The legacy methods described here are only supported for the selection widget and the export widget, not for any other (including future) widgets.
If this authentication mode is used, the user will see the FotoWeb login form before being able to use the selection widget. After entering a valid username and password, the user will be taken to the actual widget.
To use this method, simply embed the widget with no URL parameters:
Starting with FotoWeb 8.0 Feature Release 12, users can log in using SSO (e.g., Azure AD, Windows Active Directory, SAML) in applications using this method. With previous versions of FotoWeb, only username and password authentication is supported.
This authorization method will also set a temporary cookie, which allows the user agent to use the export widget, so the export widget can be embedded with no additional authorization parameters:
Login tokens are another legacy authorization method which allow a third-party application to authorize a widget without asking the user to enter any credentials. This assumes that the application has already authenticated the user in an unspecified way (e.g., using the FotoWeb API, Active Directory or its own user database with a mapping to FotoWeb users).
NOTE: For licensing reasons, it is necessary that different users (logging in from different browsers) have distinct user accounts in FotoWeb. You can not have one shared account for using a widget.
Once the user is authenticated, the third-party application generates a widget login token (as described below). The lifetime of the token should not be more than a few seconds or minutes, giving enough time for the user's browser to open the widget URL and for the server to process the request.
The login token is then passed to the widget URL as in the following example for the selection widget:
The export widget is embedded in the same way as when using interactive authorization:
Generating Login Tokens
To generate a login token, the application needs to implement the token generation algorithm and know the encryption secret of the FotoWeb site.
Every token consists of:
- Start and end date and time between which the token is valid
- User name
The signature is a hash value of the other values. It is used to prevent forgery of login tokens by malicious applications.
Sample code for generating tokens is publicly available in a GIT repository (external link).