This article was made after a webinar where FotoWare developers demonstrated how to get started using oauth with FotoWare integrations.
The questions below the video are from the Q&A session after the webinar.
Watch the webinar
Download the PDF
Questions and Answers
Why can't I simply load the selection widget in an IFRAME any more? Older versions of FotoWeb supported this.
The old method of FotoWeb has a number of minor security flaws. For example, the selection widgetcould be embedded on any website, with no restrictions. With OAuth, only registered applications and websites can embed widgets.
The old method still works with FotoWeb on-premises, by enabling the "Legacy Selection Widget" option in the site settings. This is not supported in FotoWare SaaS.
No! If you are building a web app that uses OAuth to integrate with FotoWare, you can choose whether your application will have a back-end or not. If you already have a back-end, or it is easy for you to set up, then you will get some benefits in terms of security and user-experience. For example, you can use refresh tokens to keep users permanently "logged in" to the app, and with future versions of FotoWeb and SaaS, you can disable the consent dialog, or it will be shown to users only once.
It looks like OAuth requires users to log in via the browser. What if my app is a native app running on a Mac or on Windows, or even on a phone?
OAuth is designed for native apps as well. Every native platform has a browser these days, and the recommended approach is to simply open the user's default browser and navigate to the OAuth authorization URL. To get the authorization code back, there are three different approaches, all of which require that your application listens on some kind of callback URL that the browser can open. For example, you can run an embedded web server on localhost, you can use a custom URL schema and register it in the OS, or on mobile, you can use app-claimed HTTPS URLs, so the user will be asked to open your app instead of the browser.
If for any reason you cannot launch the browser, you can also embed a "native" browser view in your app. This works, but is not recommended. In the standard browser, users can use password managers, verify that the connection is secure, and that the URL is correct. This is why it is best for security and convenience, but admittedly not always very pretty, to just use the default browser in a "natural" browser tab, with all bars, extensions and controls visible.
My application is a script that does some automation in the background using the API. How can I use OAuth if there is no user that can log in via the browser?
You cannot use OAuth for non-interactive applications. For now, you can simply use the
FWAPIToken header with the API key you can generate in the site settings. This gives your application full access to the API. But you cannot make requests on behalf of specific users.
Future versions will also support non-interactive OAuth, where you will have application-specific keys that you can generate and revoke separately, which gives you more fine-grained control about all the services that access your FotoWare tenant or site.
Is anyone actually using this?
Yes, some of our partners have built great integrations using OAuth. Medialogix have built a number of mobile applications on iOS and Android, and soon all of our own applications will be using OAuth as well.
What if I am not a programmer - Can I still build integrations with FotoWare?
You can get a long way without writing a single line of program code by using webhooks, markers and actions. For more sophisticated integrations, you may still have to write code, but using forward-integrations based on webhooks or drag & drop export, you do not need to use OAuth. This allows you to build a wide range of integrations with minimal coding effort.
The selection widget is great, but what if it doesn't quite do everything I need it to do, or its design doesn't fit very well into my application's user interface?
You don't have to use our selection widget. It is a quick and convenient way to integrate FotoWare's browsing and searching capabilities into your application, but if you want more flexibility and control, you can build your own selection widget using the FotoWare API and any UX framework you like. Of course, this requires you to do more development work on your own.
If you know of any possible improvements of the selection widget, please let us know. We would like to keep the selection widget simple and suitable for most users, but if we see a way to make it better for everyone, we will consider doing that.
How does OAuth relate to SAML and Azure AD?
SAML and Azure AD are technologies for user authentication. OAuth is for app authorization.
In FotoWare, you can use SAML and Azure AD to allow your users to log in to your site or tenant. OAuth allows users to log in through third-party apps. You can use both in combination: For example, if your authentication provider is ADFS (with SAML), then users of your apps will also log in to your apps through ADFS, which is possible thanks to OAuth.
Why does the application registration dialog look different in SaaS and FotoWeb on-premises?
This is temporary. SaaS is slightly ahead of FotoWeb. With the next major FotoWeb release, both will look the same.
In SaaS, we have added the possibility to register widget-only apps that have a back-end, and we have changed the user interface for setting the application type and scope (API or widget-only). However, all applications that you could register in FotoWeb will also work in SaaS and in the new FotoWeb release.