As per the request of many Beem users, I am implementing Last.fm track scrobbling. The first part of this task is to implement an API client for the Last.fm web service, and step one is user authentication. Last.fm is not using OAuth, but rather its own implementation of an authentication engine that relies on a composite MD5 secret.
But let’s begin with the basics. As it is a mobile application, I need to perform a request to the core endpoint with the auth.getMobileSession method. The URL is https://ws.audioscrobbler.com/2.0/. Remember to use HTTPS, as it is an inherent requirement for the request to be successful. Two required components of the request are the API key and the API secret – both can be obtained as you register your own application on the Last.fm developer portal.
NOTE: Ignore the is+[space] part and just use the code that comes afterwards.
The API call is complete only when it is accompanied by a signature. The signature is generated by building a composite string, made of each parameter and value concatenated together (with no delimiters) in alphabetical order, followed by the API secret, that are later hashed with an MD5 helper. Since by default the Windows Phone 7.1 SDK comes without the standard .NET MD5CryptoServiceProvider, I have to carry an internal implementation. You could take a look at the specifics of the MD5 algorithm here, or you could download a ready-to-go class created by Reid Borsuk and Jenny Zheng here (which is what I am using in the app). The method I am using to get the signature looks like this:
public string GetSignature(Dictionary<string, string> parameters)
string result = string.Empty;
IOrderedEnumerable<KeyValuePair<string, string>> data = parameters.OrderBy(x=>x.Key);
foreach (var s in data)
result += s.Key + s.Value;
result += SECRET;
result = MD5Core.GetHashString(Encoding.UTF8.GetBytes(result));
The next step is to perform the authentication request itself, to get the session key. A raw implementation of the necessary method can look like this:
public void GetMobileSession(string userName, string password, Action<string> onCompletion)
var parameters = new Dictionary<string, string>();
string signature = GetSignature(parameters);
string comboUrl = string.Concat(CORE_URL, "?method=auth.getMobileSession", "&api_key=", API_KEY,
"&username=", userName, "&password=", password, "&api_sig=", signature);
var client = new WebClient();
client.UploadStringCompleted += (s, e) =>
catch (WebException ex)
HttpWebResponse response = (HttpWebResponse)ex.Response;
using (StreamReader reader = new StreamReader(response.GetResponseStream()))
As the signature is obtained, I still need to include the parameters in the URL, including the method, API key and the proper credentials. The request has to be a POST one, therefore I am using UploadStringAsync instead of DownloadStringAsync, which will execute a GET request.
Simple as that, you have the auth session key.