This article was published after a webinar where Fotoware developers demonstrated how to get started using OAuth with Fotoware integrations.
The questions under the video are from the Q&A session after the webinar.
Watch the webinar
Download the PDF
You can download a PDF file that outlines how OAuth works with Fotoware.
Questions and Answers
Why can't I simply load the selection widget in an iFrame any more? Older versions of FotoWeb supported this.
The old method of FotoWeb has a number of minor security flaws. For example, the selection widget could be embedded on any website with no restrictions. With OAuth, only registered applications and websites can embed widgets.
The old method still works with FotoWeb on-premises by enabling the Legacy Selection Widget option in the site settings. This is not supported in Fotoware SaaS.
No! If you are building a web app that uses OAuth to integrate with Fotoware, you can choose whether or not your application will have a back-end. If you already have a back-end, or it is easy for you to set up, then you will get some security and user experience benefits. For example, you can use refresh tokens to keep users permanently "logged in" to the app, and with future versions of FotoWeb and SaaS, you can disable the consent dialog, or it will be shown to users only once.
It looks like OAuth requires users to log in via the browser. What if my app is a native app running on a Mac or on Windows, or even on a phone?
OAuth is designed for native apps as well. Every native platform has a browser these days, and the recommended approach is to open the user's default browser and navigate to the OAuth authorization URL. To get the authorization code back, there are three different approaches, all of which require that your application listens on some callback URL that the browser can open. For example, you can run an embedded web server on localhost, you can use a custom URL schema and register it in the OS, or on mobile, you can use app-claimed HTTPS URLs, so the user will be asked to open your app instead of the browser.
If, for any reason, you cannot launch the browser, you can also embed a "native" browser view in your app. This works but is not recommended. In the standard browser, users can use password managers to verify that the connection is secure and that the URL is correct. This is why it is best for security and convenience, but admittedly not always very pretty, to just use the default browser in a "natural" browser tab, with all bars, extensions, and controls visible.
My application is a script that does some automation in the background using the API. How can I use OAuth if there is no user who can log in via the browser?
You cannot use OAuth for non-interactive applications. For now, you can simply use the
FWAPIToken header with the API key you can generate in the site settings. This gives your application full access to the API. But you cannot make requests on behalf of specific users.
Future versions will also support non-interactive OAuth, where you will have application-specific keys that you can generate and revoke separately, which gives you more fine-grained control about all the services that access your Fotoware tenant or site.
Is anyone actually using this?
Yes, some of our partners have built great integrations using OAuth. Medialogix has built a number of mobile applications on iOS and Android, and soon, all of our own applications will be using OAuth as well.
What if I am not a programmer - Can I still build integrations with Fotoware?
You can get a long way without writing a single line of program code by using webhooks, markers, and actions. For more sophisticated integrations, you may still have to write code, but you do not need to use OAuth when using forward integrations based on webhooks or drag & drop export. This allows you to build a wide range of integrations with minimal coding effort.
The selection widget is great, but what if it doesn't quite do everything I need, or its design doesn't fit very well into my application's user interface?
You don't have to use our selection widget. It is a quick and convenient way to integrate Fotoware's browsing and searching capabilities into your application, but if you want more flexibility and control, you can build your own selection widget using the Fotoware API and any UX framework you like. Of course, this requires you to do more development work independently.
If you think we can improve the selection widget, let us know! We want to keep the selection widget simple and suitable for most users, but if there is a way to make it better for everyone, we will consider doing so.
How does OAuth relate to SAML and Microsoft Entra ID?
SAML and Microsoft Entra ID are technologies for user authentication. OAuth is for app authorization.
In Fotoware, you can use SAML and Microsoft Entra ID (formerly Azure Active Directory) to allow your users to log in to your site or tenant. OAuth allows users to log in through third-party apps. You can use both in combination: For example, if your authentication provider is ADFS (with SAML), then users of your apps will also log in to your apps through ADFS, which is possible thanks to OAuth.
Why does the application registration dialog look different in SaaS and FotoWeb on-premises?
This is temporary. SaaS is slightly ahead of FotoWeb. With the next major FotoWeb release, both will look the same.
In SaaS, we have added the possibility to register widget-only apps that have a back-end, and we have changed the user interface for setting the application type and scope (API or widget-only). However, all applications you can register in FotoWeb will also work in SaaS and the new FotoWeb release.