Instagram will enforce signed requests for all API requests starting September 1st.
Unit tests are easy. And for integration tests Instagram suggests to make a cURL call.
curl \
-X POST \
-F 'access_token=<your_access_token>' \
-F 'sig=<your_signature>' \
https://api.instagram.com/v1/media/657988443280050001_25025320/likes
The thing is that our app does not request likes scope, so the response from that call is not we expect.
HTTP/1.1 400 BAD REQUEST
{"meta":{"error_type":"OAuthPermissionsException","code":400,"error_message":"This request requires scope=likes, but this access token is not authorized with this scope. The user must re-authorize your application with scope=likes to be granted write permissions."}}
With GET calls sig is silently ignored by the API. Is there a way to test our signature code before September 1st using basic scope only?
Related
I'm trying to integrate with the new instagram api as my feed is no longer working, i have setup my app and give it the necessary things, when i make the request so in my case
https://api.instagram.com/oauth/authorize?client_id={instagram app id}&redirect_uri={redirect_uri}&scope=user_profile,user_media&response_type=code
it takes me to instagram asks me to sign in with the instagram i am then redirected back to the redirect uri and in the url it has the following ?code=XXXXX and then a big long string of what i assume is the access token but when i try using it it doesn't work i tried pasting it in the facebook access token debugger and it says "Invalid OAuth access token."
this is how i am trying to use it https://graph.instagram.com?fields=media_url&access_token=XXXXX
No, that "code" part is not the access token. But you need it to take access token. When you have "code=XXXXX#_" take the "XXXXX" part. Notice - you need to remove "#_" in the end.
Then you have to make POST request like they say in the docs. Dependent of what tech you use you can make it with internal functions. E.h. in Rails you can use Curl::Easy.http_post()
They use this bash line:
curl -X POST \ https://api.instagram.com/oauth/access_token \ -F client_id={app-id} \ -F client_secret={app-secret} \ -F grant_type=authorization_code \ -F redirect_uri={redirect-uri} \ -F code={code}
client_id = your instagram client id
client_secret = your secret.
(you can find both in facebook developer page under you Instagram Basic Display tab.
grant_type=authorization_code (leave it like it is here)
redirect_uri = this is the page where you will be navigated after you get the token
code = "XXXXX" part from the "code=XXXXX"
In server response you will receive the object with user_id and access_token fields. Notice that this token expires in 1 hour. But you can exchange it for 60 days long term token.
Use this pattern to get it:
https://graph.instagram.com/access_token?grant_type=ig_exchange_token&client_secret=#{YOUR_CLIENT_SECRET}&access_token=#{SHORT_TERM_TOKEN_YOU_JUST_RECEIVED]
It should return object with 2 fields: a long life token itself and the number of seconds until expiry.
Hope it helps.
I've seen a couple questions on this asked on StackOverflow, but none have helped me. I can not get past the 'invalid_grant' error when trying to do an Authorize Code Grant on my 1 admin user in Docusign Sandbox environment.
I have 1 user, who is a DS Admin in the dashboard
I created a new App and obtained the Integrator Key/client_id and Secret Key
Using the guide, https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-code-grant
I have successfully called and granted permission to the user with
https://account-d.docusign.com/oauth/auth?
response_type=code&scope=signature%20impersonation&client_id=INTEGRATOR KEY&redirect_uri=https://www.docusign.com
and obtained the code returned
I have taken the Integrator Key and secret key, in form INTEGRATOR_KEY:SECRET_KEY and base64 encoded it.
I have tried using Postman and just straight up cURL call to obtain the access token. I have done this numerous times, with numerous new Apps created in Docusign Sandbox. They all return invalid_grant error.
cURL call
curl --header "Authorization: Basic BASE64ENCODING(INTEGRATOR_KEY:SECRET_KEY)" --data "grant_type=authorization_code&code=CODE_RETURNED_FROM_PERMISSION_GRANT" --request POST https://account-d.docusign.com/oauth/token
It's possible that DocuSign isn't able to correctly interpret your request because you're missing a Content-Type header.
Try adding Content-Type: application/x-www-form-urlencoded
The Authorization Code you receive back from DocuSign is only good for a couple of minutes. If you try to use it after that time then you'll receive the invalid grant error.
Also, if you are doing the Authorization Code Grant flow then you should not be requesting the impersonation scope. -- It is only for the JWT flow.
I setup a website a year ago with an Instagram feed displaying images from an account on the site. It has worked perfectly until last week where i started throwing: Error from Instagram: The access_token provided is invalid.
from nowhere.
I looked around and found that (rather logically) I need to re-generate the token. I tried doing so via instagram.pixelunion
while logged in on the admin account. It did not work.
So I tried this one:
https://www.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token
And I figured how that site worked was to paste in the clientId into the url afterclient_id=xxxand refreshed the page, but doing that returns:
{"error_type": "OAuthForbiddenException", "code": 403, "error_message": "Implicit authentication is disabled"}
Here's my code for fetching the images (I have a instafeed.min.js also):
var feed = new Instafeed({
target: "insta-images",
get: 'user',
userId: "xxxxxx",
clientId: "xxxxxxxxxxxxxxxxxxxxxxxx",
accessToken: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
resolution: "standard_resolution",
limit: 8,
template: '<li id="insta"><img src="{{image}}"/></li>'
});
feed.run();
If you look at your application setting:
https://www.instagram.com/developer/clients/{clientId}/edit/
under "security"; You would have Disable implicit OAuth checked. which is described as:
Disable the Client-Side (Implicit) OAuth flow for web apps. If you check this option, Instagram will better protect your application by only allowing authorization requests that use the Server-Side (Explicit) OAuth flow. The Server-Side flow is considered more secure. See the Authentication documentation for details.
To solve the error you are facing: Implicit authentication is disabled you need to use server side auth. That is response_type=code rather response_type=token in your request.
Extra details on the difference in OAuth 2.0 for response_type:
response_type=code will give you the temporary code and you use token endpoint to receive token from the code (https://www.instagram.com/developer/authentication/):
curl -F 'client_id=CLIENT_ID' \
-F 'client_secret=CLIENT_SECRET' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=AUTHORIZATION_REDIRECT_URI' \
-F 'code=CODE' \
https://api.instagram.com/oauth/access_token
I am trying to use authorization code grant flow to authorize to my app Documentation here. I am building an app to support auto user provisoning to Docusign using REST APIs. i have created a developer account and have obtained Integrator Key and the secret key.
I made following request to obtain the auth code :
account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id=<MY_CLIENT_ID>&redirect_uri=<localhost> and the response on the browser with the code.
I am using curl command to generate tokens using the following request :
curl -iX POST account-d.docusign.com/oauth/token -H "Authorization: Basic base64_representation_of_clientId:clientSecret" -d 'grant_type=authorization_code&code=<Auth Code recieved in the previous step>'
However I am getting this response :
HTTP/1.0 301 Moved Permanently
Location: account-d.docusign.com/oauth/token
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
What can be the possible reason for this error response?
Perhaps try adding the protocol (https://) to the request URI?
curl -iX POST https://account-d.docusign.com/oauth/token...
I know how to get code by:
https://www.instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code
However, I cannot find a way to get access token by server only.
It is blocked for all new comers and all applications lately in June 2016?
http://techcrunch.com/2015/11/17/just-instagram/
You redirect user to URL you posted above.
User logs in (if not logged in) and grants your app permissions to access data
User is redirected back to URL provided in redirect_uri (see step 1). Also, code is appended to the URL.
You are at http://your-redirect-uri?code=CODE (which you control). Then you are able to exchange code for access token by querying Instagram's servers. Here is cURL command:
curl -F 'client_id=CLIENT_ID' \
-F 'client_secret=CLIENT_SECRET' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=AUTHORIZATION_REDIRECT_URI' \
-F 'code=CODE' \
https://api.instagram.com/oauth/access_token
After you receive token for the first time, store it (if you need to access data later).
More info in official docs.: https://www.instagram.com/developer/authentication/