what are the reasons that the access_token instagram becomes invalid. I've noticed that there is no time expiration of the token?
Does someone know how to avoid it?
thanks a lot for your replies
Your all answers are given here in this document:
https://www.instagram.com/developer/authentication/
Important
Even though our access tokens do not specify an expiration
time, your app should handle the case that either the user revokes
access, or Instagram expires the token after some period of time. If
the token is no longer valid, API responses will contain an
“error_type=OAuthAccessTokenException”. In this case you will need to
re-authenticate the user to obtain a new valid token. In other words:
do not assume your access_token is valid forever.
So Token expire in two case
User revoke access
After some time (No specific time interval)
Does someone know how to avoid it?
No. Ther is no way to avoid it because that is for security reason. Avoiding it is compromising the security of the user and Instagram definitely don't want that.
So the only solution (And proper way) is to handle OAuthAccessTokenException
Related
I added instagram feed to my website with following way. This works fine but my access token is expiring again and again which results in blank page. Token expiration leads me to generate token manually and so many times.
Can anyone help me out to rectify this problem?
$result = file_get_contents('https://api.instagram.com/v1/users/self/media/recent/?access_token=[my access token]&count=20');
$result = json_decode($result);
According to the documentation, this is expected:
Even though our access tokens do not specify an expiration time, your app should handle the case that either the user revokes access, or Instagram expires the token after some period of time. If the token is no longer valid, API responses will contain an “error_type=OAuthAccessTokenException”. In this case you will need to re-authenticate the user to obtain a new valid token. In other words: do not assume your access_token is valid forever.
https://www.instagram.com/developer/authentication/
Is your app in sandbox mode? Maybe in sandbox mode the token lasts less than normal. But still, you shouldn't assume a minimum duration like the above explains.
I made An app (which is Live now and) it Uses Instagram API.
It uses one access token per hour. (which is far away from limit 5000/hour)
But What I see that say if 25 users gave access to me than each day 2 to 4 user's access token become invalid (seems randomly).
But Instagram says that:
Even though our access tokens do not specify an expiration time, your
app should handle the case that either the user revokes access, or
Instagram expires the token after some period of time. If the token is
no longer valid, API responses will contain an
“error_type=OAuthAccessTokenException”. In this case you will need to
re-authenticate the user to obtain a new valid token. In other words:
do not assume your access_token is valid forever.
I confirmed that none of these "Revoked Access".
Is there any reason that why its happening.
Or any platform where I can contact Instagram and ask the reason.
So that I can avoid it. (if I 'm doing something wrong)
Unfortunately, the tokens have a tendency to (seemingly) randomly expire. I think the reason is that Instagram doesn't want a single token to grant full access to a user's content without expiration.
Instagram expires the token after some period of time
I would recommend having the user re-auth through Instagram to get a fresh token, as they suggest, and making sure that you are able to handle that OAuth exception when it happens.
In this case you will need to re-authenticate the user to obtain a new valid token.
do not assume your access_token is valid forever.
Also, since the permissions update on 2016-06-01, Instagram has been somewhat hostile and generally unhelpful toward 3rd party apps, so it's not really worth contacting them.
Recently, I implemented the JWT strategy using passport and node.js... however, I am beginning to worry about the concept in general. Isn't it true that once someone has access to the JWT, it can be used to retrieve protected data? And isn't gaining access to the JWT, as easy as using chrome dev tools?
I could try and reduce the expiry date, however... isn't it true that as long as the user details are the same, the token generated will also be the same every time? So what's the point of the expiry date, if you are going to end up with the same token anyway? I am sure that I missing the point here somewhere. Guidance would be appreciated. Thanks.
Isn't it true that once someone has access to the JWT, it can be used to retrieve protected data? And isn't gaining access to the JWT, as easy as using chrome dev tools?
Generally speaking, it shouldn't be an issue if the user can access their own JWT -- because they're the one who is allowed and should have access to that token. (Which is what Dev Tools would allow you to access, but not other people's tokens.)
It becomes an issue when someone else can access that user's JWT, which is when things like using SSL/HTTPS show their value (because encryption prevents another user from sniffing traffic and retrieving the JWT, for example). This is a fairly broad topic to try and cover though, but ultimately if someone else can access some random user's JWT then there are security issues, yes. It's not strictly related, but I enjoy this Auth0 article which talks about the differences between JWTs and cookies (which you may already understand -- and hence it may useful/interesting) and some of the related security concerns and how JWTs fit in to the picture.
I could try and reduce the expiry date, however... isn't it true that as long as the user details are the same, the token generated will also be the same every time? So what's the point of the expiry date, if you are going to end up with the same token anyway?
The token's expiry is stored within the body of the token (under a exp key), hence the token's value does change whenever a new token is generated with a different expiry time. RFC7519 states the "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim., hence if the library you're using is acting correctly in this regard, then a token with an exp value in the past won't validate correctly and hence the token is unusable.
I have an app, that pulls data from my Instagram account.
I authorized this app once, and got access token. But I'm worried,
what if this token expires? Should I authorized the app each time the
token expires?
Can I receive another access token from the auth code?
If no, what can I do to have my app always pulling data from account
without my participation?
Thanks.
But I'm worried, what if this token expires?
AFAIK, Instagram accesstokens don't expire currently.
Note: From Instagram documents.
Note that we do not include an expiry time. Our access_tokens have no explicit expiry, though your app should handle the case that either the user revokes access or we expire the token after some period of time. In this case, your response’s meta will contain an “error_type=OAuthAccessTokenError”. In other words: do do not assume your access_token is valid forever.
Should I authorize the app each time the token expires?
At the moment, you do not need to do that, as token does not expire. As and when the token expires in future, a corresponding warning or error code and message will be sent to you, which you need to handle.
what can I do to have my app always pulling data from account without
my participation?
You can try following:
Use sharedpreference to store the accesstoken.
First time when you try to fetch data that needs accesstoken(Authenticated requests), first check in the sharedpreference whether the accesstoken is stored or not.
if yes then you don't need to login, just use that accesstoken. If you don't have the accesstoken in preference then do the login using instagram credentials, get the accesstoken and then share it in shared preference and use that for subsequent requests.
You can provide instagram logout option in which you just need to clear the accesstoken from sharedprefernce.
Hope this is helpful to you.
Update - This no longer works as mentioned in the comments
While not well documented, It's worth pointing out that retrieving a feed of posts does not require an accessToken.
https://api.instagram.com/v1/users/{user-id}/media/recent/?access_token=ACCESS-TOKEN
can also be called passing just your client_id
https://api.instagram.com/v1/users/{user-id}/media/recent/?client_id=CLIENT_ID
This isn't made clear in their documentation though.
https://instagram.com/developer/endpoints/users/
The Instagram access token expires at arbitrary times.
Twice in the in the last 7 months from my experience.
I did not find any way to regenerate the token without my participation, the only valid solution IMHO is to avoid the official API and use something like:
https://stackoverflow.com/a/33783840/
For the last 3 week, I have created new token multiple time and its expire after 2 days, but I also notice that some token didn't expired which were created before 3 years. Also, Instagram docs say the token can expire any time in the near future.
There is a hack at this moment to show the user's last post just append URL with `/?__a=1''
after user name such as
https://www.instagram.com/vaseem.ishak/?__a=1
you will get user last post with image text, no of comment like etc.just dig little the return JSON
I'm using GData's AuthSub so that my administrative application doesn't need to store user/password information. I just came to the point in the documentation where I learned how to exchange the first, single-use token, for a session token (http://code.google.com/apis/accounts/docs/AuthSub.html#AuthSubSessionToken). And then this statement jumped out at me:
You can ignore the expiration date, which is not currently used; session tokens effectively do not expire.
Would someone care to explain how a non-expiring token is not a security issue? What does "effectively not expire" really mean? Theoretically if a malicious application manages to obtain one of these tokens, can it continue to use it regardless of password changes? Is it possible to see what session tokens have currently been issued on a Google account?
In short, my paranoia has taken hold, and I need a big smart person to comfort me!
EDIT: You can manually revoke tokens at https://www.google.com/accounts/IssuedAuthSubTokens
Yes, in fact if a session token never expires it is a vulnerability is recognized by CWE-384 , If the session takes a really long time to expire then it is a violation of CWE-613. Both CWE pages give a great explanation of the vulnerability. I do not know the specifics to this applications, but normally a Session token can be used to immediately authenticate without need for the username/password.