Probably a minor error in the API, but when requesting an access token from https://www.geni.com/oauth/token the returned POST response is tagged as "ContentType = application/json; charset=utf-8", but the data is obviously using ContentType = "application/x-www-form-urlencoded" like this result: access_token=aBlZqgBbjRS6dKxndZthtsI2u7EgOg9tluTfFkIS
As far as I understand the OAuth2 standard the response should be JSON like this:
The Geni API does not follow the Error Response recommendation of the OAuth2 standard either.
I tested my app by fabricating some of the errors. - Yes, I am very focused on following (and making) standards ;-)
A summary from a private discussion:
* I discovered that there was no auto-expire on access_token's, resulting in that even three months old access_token examples posted to these discussions gave me API access to all private profiles of that user (including my example above that was temporary deleted until the issue was solved). This is now solved.
Never post examples with valid access_token - that gives everyone an open door to your login, - for me as a curator a valid access_token from me would give everyone curator access to all public profiles in Geni (90 millions?) ;-) Geni should consider betters signing of API requests and not only a simple access_token
* access_token's will expire in 24-hours(?)
* access token responses will be JSON after the next update.
* Calling https://www.geni.com/oauth/invalidate?access_token=<token> will invalidate the token and should be used to log out your application.
* Returned data from request_token will be JSON and also include the expires_in parameter.