With Seamless Sign-in, if the user is using your application Web site and is signed in there, she won't normally need to provide Shutterfly password or do a separate Shutterfly sign-in when your app calls the Shutterfly Open API on her behalf.
For this to be secure, you must protect the shared secret that goes with your app ID, as explained here: Authentication and Authorization
Seamless Sign-in works as follows:
- You do some initial application-level setup with Shutterfly.
The user uses your app or Web site, and eventually needs Shutterfly Open API functionality.
Your app sends the user to a Shutterfly user setup page.
- The user signs in to Shutterfly (or signs up for a new Shutterfly account if she does not already have one), and grants permission to your application.
- Shutterfly then redirects the user's browser to your app, on a "callback URL" that you specified.
- On callback, Shutterfly gives your app a user token to store. Your app stores this token, and passes it on future Shutterfly Open API that may require user authorization. If your app stores the token correctly, your app should never again need the user to sign in to Shutterfly.
If your app should ever lose the Shutterfly user token, no problem.
Send the user to the Shutterfly user-setup page again.
- The user will have to sign in, but will not need to explicitly grant permission to your application again. The page will immediately redirect to the callback URL you provided.
- Store the Shutterfly user token.
- Decide if you can secure your shared secret (i.e., truly keep it secret). If you can't, then your application is not eligible for Seamless Sign-in. Please use User Authentication instead.
- Configure your app to say secret is guarded, using My Applications.
Optional: Configure your app with a default Callback URL, Logo URL, and About URL.
- Callback URL: An URL that Shutterfly's permission-granting page will return control to after the user has granted (or denied) permission. Configuring this parameter is not absolutely required, because your app can specify the URL dynamically, as described below.
- Logo URL: A public URL where Shutterfly can get your application's (or company's) logo image. If present, Shutterfly will display the image to the user when asking the user to grant permission.
- About URL: A public URL where a user could find a description of your app or company. If present, Shutterfly will display it as a link when asking the user to grant permission.
Send the user's Web browser to this Shutterfly page:
You will need to attach certain URL parameters to the call:
You will also need to sign the call. A completed, fully-signed callback URL would look something like this, prior to URL-encoding (and all on one line):
http://localhost/oflyuser/grantApp.sfly?oflyCallbackUrl=http://my123mash.com/step3 &oflyAppId=693228dc384ba239269fa6f80de8ce97&oflyApiSig=3cd8b2bdb8cc49ace7d56f23e5ab3be7664c3fef &oflyTimestamp=2008-04-02T19:50:47.374-0700&oflyHashMeth=SHA1&oflyRemoteUserfirstname.lastname@example.org
When Shutterfly calls your callback URL, it will tell you whatever you had previously specified for
and add these parameters:
Given the above example, Shutterfly might construct your callback URL something like this, prior to URL-encoding (and all on one line):
Finally, you store the returned oflyUserid in your application. All future calls must use this stored oflyUserid to gain permission seamlessly.
Pass the oflyUserid as a URL parameter on every Shutterfly Open API call that needs user authentication / authorization, as explained here: App Authentication.