Index - FotoWare OAuth 2.0 Example

This application demonstrates how to build different kinds of applications that use the FotoWeb API and FotoWeb embeddable Widgets and OAuth 2.0 for user authorization.

This is the configuration page, where you choose the type of application and enter necessary details. In an actual application, these details would be either hard-coded or part of a fixed configuration that is hidden from its users.

Tenant URL

Application Type

A web application with a back-end (server) component.

BACK-END: The application must have a back-end (server) component for OAuth authorization, storing a client secret, and managing bearer tokens.
FRONT-END: The application may have a front-end (HTML and JavaScript), but it may also be an API only.
API: This application can make API requests to FotoWeb. An API license is required.
CONSENT: The authenticity of the application is verified, so it only has to ask for user consent upon first authorization.
SESSIONS: Refresh tokens can be used to keep the application permanently authorized.

A native (desktop or mobile) application.

API: This application can make API requests to FotoWeb. An API license is required.
CONSENT: The authenticity of the application cannot be verified, so it has to ask for user consent upon every authorization.
Refresh tokens can be used to keep the application permanently authorized.

In this example, the "native" application is simulated by a web application.

A web application WITHOUT a back-end (server) component.

FRONT-END: The application consists of HTML and JavaScript only, so any data it stores is visible to the user and user agent (browser).
API: This application can make API requests to FotoWeb. An API license is required.
CONSENT: The authenticity of the application cannot be verified, so it has to ask for user consent upon every authorization.
SESSIONS: Users must authorize the application every time (no refresh tokens).

A web application which uses FotoWeb embeddable widgets only. This is the preferred approach for using widgets.

BACK-END: The application must have a back-end (server) component for OAuth authorization, storing a client secret, and managing bearer tokens.
API: This application CANNOT make API requests to FotoWeb. An API license is NOT required.
CONSENT: The authenticity of the application is verified, so it only has to ask for user consent upon first authorization.
SESSIONS: Refresh tokens can be used to keep the application permanently authorized.

A web application which uses FotoWeb embeddable widgets only.

FRONT-END: The application consists of HTML and JavaScript only, so any data it stores is visible to the user and user agent (browser).
API: This application CANNOT make API requests to FotoWeb. An API license is NOT required.
CONSENT: The authenticity of the application cannot be verified, so it has to ask for user consent upon every authorization.
SESSIONS: Users must authorize the application every time (no refresh tokens).

A legacy web application which uses FotoWeb embeddable widgets only and was written for an older version of FotoWeb.

No application registration is necessary.
CONSENT: The authenticity of the application cannot be verified, yet users are not asked for consent.
SESSIONS: Users must authorize the application every time (no refresh tokens).

This approach may seem easier, but is deprecated and considered insecure. It exists in this example application only for testing purposes.
The option "Enable Legacy Selection Widget" must be enabled in the FotoWeb site settings.
This type of application is not supported in FotoWare SAAS.

The application must first be registered in your FotoWeb tenant. For information on how to do this, please see Application Registration. and use the following application settings:

Type: Web App / API Native / mobile
Scope: API Selection Widget
Add this redirection URI this redirection URI this redirection URI this redirection URI this redirection URI (right-click and copy this URL)

When done, please enter the generated application details (e.g., client ID) into the fields below.

You have selected the FotoWare demo server. This application is already registered, and application details (client ID and client secret) need not be entered manually.

Your FotoWeb site must be reachable on the internet. If you want to test OAuth with a server in your local network, then you have to compile this application from source code and host it in your internal network, so it can connect to your FotoWeb site and request tokens.

Your tenant URL uses HTTP, and this application is hosted on a HTTPS URL. Embedding FotoWeb widgets may be blocked by your browser due to Content Security Policy (CSP). To work around this, you must either host this application on HTTP as well or host FotoWeb on HTTP.

Client ID

The client ID of your application registered in your FotoWeb tenant (e.g., a838XXXX-XXXX-XXXX-XXXX-XXXXXXXX68df)

Client Secret

The client secret of your application registered in your FotoWeb tenant

Please do NOT enter a client secret of an active production site here. The client secret is sensitive information. For your and your users' security, please use test values only. Please change your client secret or delete your application registration after using its client secret here.

Login Token [OPTIONAL]

You may enter a login token generated with the login token generator tool.
Remember to check the option "Use for widgets".
The encryption secret can be obtained from the tenant's site settings.

Please do NOT enter the encryption secret of your site here.

If you are not a FotoWare employee who knows the encryption secret of the demo server, then just leave this field blank. :)

Welcome to the FotoWeb OAuth Demo Application