I am trying to use the Soundcloud API to implement an integrated "export" function in an open-source DAW application (Ardour).
At least for the first draft, it seems that the simplest method to get an authenticated token is to use the "User Credentials" flow. So I'm using my own account as an example. I'm using libcurl to programmatically generate this request:
The result is: "404 - Not Found"
A couple of questions:
1) Any ideas what "404 - Not Found" means in this context? Is my username in the wrong format? Did I make a typo? Or is the User Credentials workflow no longer available?
2) This is an open-source app, so the client_id and client_secret will actually be available to the world. What are the ramifications (if any) of this?
Please note that I'm not an expert at curl/web integration ( although I was able to use libcurl to import sounds from Freesound.org ) - so perhaps I'm missing something very obvious.
It looks like you are making a GET request to that URL. The OAuth2 Token endpoint only supports POST requests. Additionally, parameters must be sent in the request body, not as part of the query string. Using the curl command line utility, this would look like this:
curl -X POST -D - https://api.soundcloud.com/oauth2/token -F'client_id=YOUR_CLIENT_ID' \
-F'client_secret=YOUR_CLIENT_SECRET' -F'grant_type=password' \
-F'username=YOUR_USERNAME' -F'password=YOUR_PASSWORD'
Technically, we should be sending back a 405 instead of a 404. I'll file a bug for that, thanks for pointing it out.
You definitely do not want to distribute your client credentials. Your client id and client secret uniquely identifies your application to SoundCloud. If you were to distribute these, any other application developer could use those values to create an application that looked like yours. If one of those applications violated SoundClouds terms of service, we would have to cut off access to the client id, thus disabling your application as well.
Additionally, while the User Credentials Flow is supported, it is only recommended when the more popular Authorization Code Flow is not possible. The Authorization Code Flow is more familiar to most users. It allows you to have the user authorize access to your application without requiring them to give your app their credentials. The primary reason that the User Credentials Flow is not recommended is that users who register via Facebook Connect do not have a password and therefore won't be able to connect your app to their SoundCloud account.
For desktop / mobile applications, you can specify a redirect URI during the app registration process that uses a custom protocol scheme (e.g. myapp://) which will pass control back to your application. The exact method to do this changes from platform to platform. This means you don't have to have a running web service to mediate the auth flow.
Let me know if you have any follow up questions and I'll edit my answer to elaborate. Hope that helps!
Regarding the "secret" id ... its an open-source program so there's no choice but to publish it. Surely it is impossible for an app to break the Soundcloud TOS, since the authenticated user is the culprit? Other than "attributing" the sound to the app, why does it matter?
Finally, regarding the authorization: I'm open to using the "Authorization Code Flow" but I don't understand it in the context of a desktop app. It seems to require a 3rd party server as mediator of some sort. Hopefully I'm just confused - user1313170 2012-04-05 16:49