Using "User Credentials" flow to get an authentication token via libcurl

Go To


I am trying to use the Soundcloud API to implement an integrated "export" function in an open-source DAW application (Ardour).

At least for the first draft, it seems that the simplest method to get an authenticated token is to use the "User Credentials" flow. So I'm using my own account as an example. I'm using libcurl to programmatically generate this request:

The result is: "404 - Not Found"

A couple of questions:

1) Any ideas what "404 - Not Found" means in this context? Is my username in the wrong format? Did I make a typo? Or is the User Credentials workflow no longer available?

2) This is an open-source app, so the client_id and client_secret will actually be available to the world. What are the ramifications (if any) of this?

Please note that I'm not an expert at curl/web integration ( although I was able to use libcurl to import sounds from ) - so perhaps I'm missing something very obvious.

2012-04-04 18:07
by user1313170


It looks like you are making a GET request to that URL. The OAuth2 Token endpoint only supports POST requests. Additionally, parameters must be sent in the request body, not as part of the query string. Using the curl command line utility, this would look like this:

curl -X POST -D - -F'client_id=YOUR_CLIENT_ID' \
   -F'client_secret=YOUR_CLIENT_SECRET' -F'grant_type=password' \
   -F'username=YOUR_USERNAME' -F'password=YOUR_PASSWORD'

Technically, we should be sending back a 405 instead of a 404. I'll file a bug for that, thanks for pointing it out.

You definitely do not want to distribute your client credentials. Your client id and client secret uniquely identifies your application to SoundCloud. If you were to distribute these, any other application developer could use those values to create an application that looked like yours. If one of those applications violated SoundClouds terms of service, we would have to cut off access to the client id, thus disabling your application as well.

Additionally, while the User Credentials Flow is supported, it is only recommended when the more popular Authorization Code Flow is not possible. The Authorization Code Flow is more familiar to most users. It allows you to have the user authorize access to your application without requiring them to give your app their credentials. The primary reason that the User Credentials Flow is not recommended is that users who register via Facebook Connect do not have a password and therefore won't be able to connect your app to their SoundCloud account.

For desktop / mobile applications, you can specify a redirect URI during the app registration process that uses a custom protocol scheme (e.g. myapp://) which will pass control back to your application. The exact method to do this changes from platform to platform. This means you don't have to have a running web service to mediate the auth flow.

Let me know if you have any follow up questions and I'll edit my answer to elaborate. Hope that helps!

2012-04-05 13:09
by Paul Osman
Thanks Paul! I will investigate what is needed in libcurl to make that happen.

Regarding the "secret" id ... its an open-source program so there's no choice but to publish it. Surely it is impossible for an app to break the Soundcloud TOS, since the authenticated user is the culprit? Other than "attributing" the sound to the app, why does it matter?

Finally, regarding the authorization: I'm open to using the "Authorization Code Flow" but I don't understand it in the context of a desktop app. It seems to require a 3rd party server as mediator of some sort. Hopefully I'm just confused - user1313170 2012-04-05 16:49

If you're shipping it as open source, you should leave the client credentials out and make app registration a part of the installation / setup process. The trouble is, you're giving away credentials. If for instance, a developer with malicious intent wanted to create an app that would do something harmful, they could use your app credentials and "pose" as your app. The user would think they were authenticating your application. Bottom line, sharing credentials breaks a trust relationship. Apps with leaked client secrets would almost certainly be deactivated - Paul Osman 2012-04-05 20:42
Modified my answer to include details about using Auth Code Flow with desktop app. Also mentioned why User Cred Flow is not recommended. Also, if you found my answer helpful, it's good practice to "accept" it :-) Hope that helps. Let me know if you have any other questions - Paul Osman 2012-04-05 20:46
Regarding the client credentials: OK, I'll try to work something out. Regarding the User Credentials Flow: This is a professional sound editing/mixing application. Are you saying that the users will be inconvenienced because they will have to setup a Soundcloud password, or are you saying that if they use Facebook Connect it will be impossible for them to set up a password and follow the User Credentials flo - user1313170 2012-04-05 22:15
If users use Facebook Connect to sign into their SoundCloud account, they will not have a password and therefore will not be able to use the User Credentials Flow - Paul Osman 2012-04-06 15:16