How do I use WebRequest and HttpWebResponse in C# to navigate to an authentication url and login to a website?

Question

I am trying to use the MindMeister API (as documented here: http://www.mindmeister.com/developers/authentication) to make a desktop application. So far, I am able to generate an authentication url as documented on their developer's guide with an api key an shared secret, which ends up looking something like this: http://www.mindmeister.com/services/auth/?api_key=abc123&perms=delete&api_sig=zxy987

If I copy and paste that url into my browser, it takes me to their log in page. Once I log in, then it says my application has been authenticated and I can proceed with my application, which then allows me to start using the different REST API methods. I would like to navigate to that authentication url and login to MindMeister programmatically without having to copy and paste the authentication url into the browser.

So far I have tried something like this

        string authenticate 
          = @"http://www.mindmeister.com/services/auth/?" 
               + api_key=abc123&perms=delete&api_sig=zxy987";
        WebRequest request = WebRequest.Create(authenticate);
        @"https://www.mindmeister.com/account/login");
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();
        //response.ResponseURI == @"https://www.mindmeister.com/account/login"

        WebRequest request2 = WebRequest.Create(response.ResponseUri);
        request2.Credentials = new NetworkCredential("username", "password");
        HttpWebResponse response2 = (HttpWebResponse)request2.GetResponse();

but this does not work.

Can I get some guidance on how to accomplish what I want? I have next to no experience with WebRequest or HttpWebResponse as I basically just copied and pasted other solutions on StackOverflow.

Answer 1

From the documentation it appears that login this way is not officially supported. Keep in mind that most services that operate using an API key can and will revoke this key if they don't like the way it's being used.

However the login might not be needed every time a user starts your application.

It appears that if you get a frob using the mm.auth.getFrob method and pass that as a parameter with the login you could then use that same frob on the mm.auth.getToken method. You can then store this token somewhere on the users desktop and could use this to use methods in the future.

This should keep working until the user actively revokes the permissions to your application.