Wednesday, December 31, 2014

UPDATE: HOWTO Mailchimp's OAuth2

I have been working to integrate the Mailchimp OAuth implementation into an application that uses mailchimp mailing lists to drive call campaigns. My users login into my site using mailchimp, so you can see its going to be a very strong integration.
I have found a few problems with the implementation. This is about my 10th OAuth implementation so I am pretty familiar with all the little implementation differences. Here are a few crits, meant to be constructive. 
Here are some details. I am using the Mailchimp python API on bitbucket and the Bananas_OAuth implementation.

Mailchimp Python API - https://bitbucket.org/mailchimp/mailchimp-api-python
Banana Py Oauth - https://github.com/claytantor/Banana-Py/blob/master/banana_py/__init__.py

  1. Its seems as though the calls from https://login.mailchimp.com/oauth2/metadata don't return enough information to reliably create a user in the authenticating system and that the API does not have a method to get data on the OAuth user that the access token was generated for. This creates a problem when attempting to create a user for the first time. When user authenticates the following information should be in the response: email address, unique unchangeable id, and mail chimp username. Right now I have to use the "account_name" which can be changed. Can you see where this might be an issue? I also have to generate a fake email and force the user to verify the email when I could just use the one you verified already. This can be dealt with using the account-details method in the helper api.
  2. The OAuth implementation does not implement scope.
  3. The OAuth implementation does not use best practices for refresh tokens.
  4. The OAuth implementation is difficult to implement a flow for, I have implemented about 10 of these and I couldnt figure it out from your docs. If Bananas wast there I would have ended up spending an insane of of time.
  5. Making the API docs say that the calls use the API key is confusing I had to read deep to see that you could use an access token to make calls.
  6. Why doesn't it have a OAuth implementation in the API, c'mom just add Bananas_OAuth and do a little more architectural work to unify the concepts.

UPDATE: Cole from Mailchimp API got back to me in a day and gave me a solution for #1, I added this to the Gist as well. Looks like it works.

I have a Gist that shows some of the backflips I am having to do, its too bad too because with some very small changes the OAuth2 implementation and API would be pretty darn good. Check out what I am doing:
I am also giving you a reference to an OAuth implementation that is solid and easy to implement: