I wish to implement an Instagram feed reader for my website. A reader that will show my Instagram feed in a unique interactive manner without asking the user to login to Instagram. Is there a way for me to do this reliably using Instagram APIs or their new Instagram Business APIs?
Current options and their caveats:
1. The Instagram v1 API found here (https://www.instagram.com/developer/)
requires user to authenticate. There is no way for an application to use grant_type=client_credentials to acquire a token and make API calls.
The tokens generated don't seem to expire but a note says they may expire any time, making a solution that uses a manually generated token unreliable.
https://www.instagram.com/developer/authentication/
2. Instagram Business accounts API found here (https://developers.facebook.com/docs/instagram-api/)
requires an Instagram business account, and at the same time the queries to media endpoint seem to require User Access Token, which again requires a user to login for generation/renewal of token. (https://developers.facebook.com/docs/instagram-api/reference/media/)
I'm aware of endpoints like https://www.instagram.com/{username}/media/, but this is undocumented and can disappear any moment.
I will highly appreciate any help, or recommendation to implement such a feed that does not require a user to generate authentication tokens.
as it is said in Instagram API doc:
In your application, you should have each user go through an authentication and authorization flow in order to receive a valid access_token.
so I can see just too ways:
use '/media' end-point until it is blocked (i believe it is relatively reliable, because anything can disappear one day, not just undocumented things)
authenticate yourself on instagram, and use your own access_token for API requests, as it is done in several popular tools for getting instagram recent posts
Related
We are building a mobile app on behalf of a corporation and the API needs to be able to return the corporation's Instagram feed. We have found that implementing what should be a simple requirement incredibly difficult.
We need to retrieve the following Instagram post data from the corporation's feed:
image url
caption
url to post
timestamp
With this in mind we identified that we need to use the Instagram Graph API which means there are strict requirements around permissions.
Note: We are open to using any method that returns us the required data.
Using the Instagram Graph API we need to use the following endpoints:
Media (to get a list of the latest IG Media objects for a user)
IG Media to get detail about each media object
This works fine but the problem lies with getting a long-lived User Access Token. To get this kind of token we need the instagram_graph_user_media permission. The Long-Lived Access Tokens documentation says:
Long-lived tokens are valid for 60 days and can be refreshed as long as they are at least 24 hours old but have not expired, and the app user has granted your app the instagram_graph_user_profile permission.
How can the app user (the corporation) grant the app the permission? As I mentioned this is for an app on behalf of a corporation.
Any help here would be really appreciated!
Thanks
Did you go through the App review process in Facebook? Whenever there are user permissions involved, you need to go through the App review process for your app. Even though you don't use user permissions, some user permissions are pre-requisites for some business permissions.
Read the article here for more information: https://developers.facebook.com/docs/app-review
Unsure if this will be of any help, but battling exactly the same thing today came across this and it made for some intresting reading https://solrevdev.com/2020/05/28/instagram-basic-display-api.html
First off, I'm not looking for the access token of a facebook account.
I (or my facebook messenger bot) need the access token of a linked 3rd party account.
The account was successfully linked as described here: https://developers.facebook.com/docs/messenger-platform/identity/account-linking
Slightly off topic: The first issue I noticed that does not meet the OIDC/OAuth2 specs is, that the redirect URI given to the /authorize endpoint expects a param "authorization_code" instead of "code" with the actual authorization code. Ok, good thing we do not use off-the-shelf software for the IdP, so I could mend that. Yet.
Now, I'm accustomed from the Amazon Alexa account linking to let the amazon do the token management, refreshing etc. and to deliver an 3rd party access token with every request.
But not with Facebook, it seems. As far as I managed to understand (not by the docs, but by try&error), for the Facebook Messenger the account linking is finished once they get the authorization code (and call an associated webhook).
But since I need an actual access token for every request to my bot, that's not gonna help much.
It now looks as if I have to extend my bot to be a complete, but not standardised, OAauth2/OIDC client (including token handling, refreshing etc.) with some problems:
how to check the validity of the redirect URI?
should be the same as in the initial request
how to validate the authorization_code?
keep in mind, normally this bot has no connections/access to the database of the IdP
how to link this to a specific facebook user id?
My question now is, how to cope with that behaviour when I aim to use standardised software for the OAuth/OIDC IdP? Any ideas?
Thanks in advance
Thomas
EDIT:
To clarify what is meant by "account linking": I'm not interested in the users facebook account, I want to access information of a 3rd party account (provided with my actual service) of that user.
For example a call like "How many pictures are in my tumblr account" will need the customer to link the tumblr account to this facebook messenger bot.
For comparison: this worked extremely smooth with Amazon's Alexa and Google Actions. I simply had to input the client credentials and OAuth endpoints and thats that. If the user successfully linked the 3rd party account, I get an access token with every query to my backend, as expected.
EDIT2: as pointed out by CBroe, this is not supported by Facebook. Only actually "linking" the User IDs is possible.
I need to post message on a certain FB page as a owner by cron, using php and ZF 1.1.X. For this small issue, I don't want to create a full OAuth stack. Is it possible to communicate with FB API (it's desirable, PHP SDK for FB) without it, such as twitter with his precreated access tokens (Access token, Access token secret)?
As long as you need an active user access_token to retrieve desired data this is not possible to skip OAuth flow.
Without authenticating user you only have application access_token (in old format APP_ID|APP_SECRET, but it's still works) and only limited access to most of Graph API endpoints and Application settings.
Actually there is nothing hard in implementing the user authentication with OAuth flow and it is completely transparent with usage of PHP-SDK.
Just look at the sample code in documentation for server-side authentication
Yes, you need to build an app and then authorize the page via the app while requesting the manage_page permission.
You should make yourself familiar with the Server Side Auth process as well.
Suppose that I make an app that is using Facebook login (basically for dealing with who is who). Is it possible that the app to fetch the user's history from Foursquare if it get the user's permission? (The user uses Facebook's login on Foursquare as well)
No. You need to go through each authorization flow separately. First, the user grant your application access by going to Facebook and coming back with an access token (or authorization code you later exchange). Then you need to send them over to Foursquare to approve access again. Foursquare might need to authenticate them via Facebook but that's really not your concern (and should be transparent if they have an active Facebook session). Foursquare will issue you another access token for their API.
There are discussions in the community about the use case of allowing your application to pass the Facebook access token to Foursquare so they can validate the user identity with Facebook and then issue you an access token. However, there are many issues with that. By not directly interacting with the user, Foursquare has no way of knowing that the user wants to give one application access to their data stored on another application.
We're hoping to create mobile phone applications for (among other features) posting video to a user's FaceBook page. However, using their API, it looks like we would need to open a web viewer and have the user enter their login credentials every time the application is used. We would prefer to store these credentials so the user only has to login once.
We could of course save the http login post and resend it as needed, but this breaks if FaceBook changes their API and I worry about their terms of service and using an unofficial hack such as this.
Maybe someone knows of another application that uses Facebook this way?
You should have been returned an oAuth token to use.
The new Facebook API has a service you can call with the old tokens and it returns you a new oAuth token.
You just have to add offline_access to your permissions. You do this by adding &scope=offline_permissions at the end of your authorization url. Then your oAuth token won't expire.