Photonic supports authentication for all providers with the exception of native WP that has no concept of private photos, and Zenfolio, which has authentication, but for which Photonic only supports password-protection.

Authentication is supported in two different ways:

  1. Front-End / Client-Side Authentication – This is supported by Photonic for Flickr, Picasa, SmugMug and 500px.
  2. Back-End / Server-Side Authentication – This is supported by Photonic for Flickr, Picasa, SmugMug, 500px and Instagram.

Front-End / Client-Side Authentication (🔗)

In this mode, you “Allow User Login”. When a user visits your site, by default that person sees only public photos. However, if you “Allow User Login”, the user will see a login box:

Picasa Login Box

If the user logs in, the content that the user is authorized to see will be shown.

To set up Front-End Authentication go to the settings page for your respective provider. Flickr is used as an example here, but the settings are consistent across all supported providers.

Selecting the “Allow User Login” option will let visitors use their Flickr Logins

You would typically use front-end authentication if you want the visitors of your site to see only what they are allowed to see outside the WP environment.

Back-End / Server-Side Authentication (🔗)

Certain providers such as Instagram and Google (Picasa) put up extreme barriers around photos, causing everything to require authentication. Instagram has a horribly written API and an even more asinine way of granting access, all in an attempt to pass the buck to overcome inherent flaws in its security. And Google went from an open model that was present in PicasaWeb to a walled garden with Google Photos.

To get around the shortcomings of such providers Photonic brings in server-side, or back-end authentication. In this case, you do the authentication (not your site’s visitors), and your visitors see what you are authorized to see (instead of what your visitors are authorized to see).

The setup for back-end authentication is slightly different for the providers because of the way they implement authentication:

  • For Instagram see here. You will need at least version 1.59 of Photonic for this.
  • For Picasa see here. You will need at least version 1.59 of Photonic for this.
  • Google Photos see here. You will need at least version 1.68 of Photonic for this.
  • For all other providers use the following steps. Note that you will need to set up your API keys for Flickr, 500px and SmugMug to get this working. You will need at least version 1.65 of Photonic for this:
    1. As in the case of Front-end authentication, you will see these fields in the settings page for your provider:
      A token and a secret are required
    2. Following the instructions, head over to Photonic → Authentication.
    3. For the provider that you want to authenticate for, click on the button to “Login and get Access Token”.
      Login and get token
    4. You will be taken to the provider’s page for authentication:
      The provider will ask you to authorize Photonic
    5. Once you authorize, you will be brought back to your authentication page (Photonic → Authentication), but this time with the token and the secret:
      Your token and secret are shown upon authorization
    6. Upon clicking “Save Token” the token and secret will be saved to the respective options page, and you will be taken there. Note that both, the token and the secret are required for Flickr, SmugMug and 500px (it is an OAuth 1.0 requirement).

You are now all set to display private photos to all your visitors. Note that Picasa has a specific setting for this.

Do bear in mind that token expiration is dependent on the provider:

  • Flickr, SmugMug and 500px use OAuth 1.0 for authentication and OAuth 1.0 tokens don’t automatically expire. This is documented explicitly for SmugMug and in various groups for Flickr. There is no explicit documentation available for token expiry for 500px, but given the authentication protocol, the tokens can be assumed to have no expiry.
  • True to form, Instagram says that the tokens expire, but doesn’t say when, passing the buck to you. You will have to keep monitoring your site to see if your token is active. Based on what I have found on the web the validity is at least 6 months long.
  • Google’s approach is interesting – it issues you with a “Refresh token”, which you exchange for an “Access token”. The refresh tokens never expire, but the access tokens expire every 30 minutes or so. To take the sting out of reentering the access token every time, Photonic stores the refresh token and automatically pulls the access token for you if it has expired.