17

With instagrams new api changes, it appears that there is no way to get an access_token without having some sort of user interaction. All of the documentation that I have found has stated that there is a mandatory pass through of loggin in authorizing an app via a user interaction(https://www.instagram.com/developer/authentication/):

Server-side (Explicit) Flow

Step One: Direct your user to our authorization URL

https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code Note: You may provide an optional scope parameter to request additional permissions outside of the “basic” permissions scope. Learn more about scope.

Note: You may provide an optional state parameter to carry through a server-specific state. For example, you can use this to protect against CSRF issues.

At this point, we present the user with a login screen and then a confirmation screen where to grant your app access to her Instagram data.

Client-Side (Implicit) Authentication

Step One: Direct your user to our authorization URL

https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token At this point, we present the user with a login screen and then a confirmation screen where they grant your app’s access to their Instagram data. Note that unlike the explicit flow the response type here is “token”.

With an access_token that refreshes periodically, is it possible to to get the access token without user interaction?

I am trying to display my feed on my site but I haven't found a way besides the embed options they offer after the API changes.

EDIT: My question getting marked as a dupe of Instagram OAuth Access Token expiration for app but I am not looking at figuring out the expiration(that is not explicitly defined in the IG documentation). I want a purely programmatic way to get the the access_token.

Community
  • 1
  • 1
ninjasense
  • 13,756
  • 19
  • 75
  • 92

3 Answers3

1

I'm having this issue too. I'm assuming you want to write a script to run things for you.

One (rather lame) solution would be to use selenium, phantom JS, headless chrome, or any other similar tech to visit the login screen to fill in the account credentials (throw security out the window), before grabbing the code from the following redirect URL...

It's a shame that Instagram doesn't allow this type of non-user-required account option.

Nick Knuckle
  • 106
  • 10
0

You can store the access token in your server. As long as its valid, you don't need to ask your users to login.

Keep in mind that the access token has an expiry date. So you have to handle that case too[i.e, on expiry, ask the user to login again and fetch and save the new access token]

coderz
  • 1,366
  • 1
  • 12
  • 23
  • 2
    But this method still requires some sort of user interaction to get the original access_token correct? – ninjasense Jun 08 '16 at 17:18
  • Its given that you have to ask user for their permission before using their data. You can only make it easy for the user to not login every time, but periodically!. Accessing user data without user interaction implicitly is privacy breach in some way. – coderz Jun 13 '16 at 07:15
  • @coderz `Accessing user data without user interaction implicitly is privacy breach in some way` - not really. If a user wants to allow someone (like an MCN) to perform actions on their behalf, they'd have to drive on over to the MCN's business offices every time their access token disappears. – Nick Knuckle May 03 '17 at 00:14
  • @NickKnuckle, if you want 3rd party apps to perform actions on the user's behalf, you first need their permission {here in token}. By user interaction I meant user permission. That is always required on every valid API call you make. Access tokens are a means of not bothering the user with their login credentials every time. But once it expires, they need to login again [ as far as I know ]. Hope I could make myself clear. – coderz May 03 '17 at 11:41
  • 1
    @coderz Yes I understand, but my statement still stands. Access tokens expire and the user needs to re-authorize, which isn't always desirable. For example, Youtube has an option where you may, in your account settings, allow another account to be an "admin" account, w/ full permissions, and there's no user interaction needed. – Nick Knuckle May 04 '17 at 21:08
  • @NickKnuckle, I do not know if it is allowed for Instagram – coderz May 06 '17 at 06:43
0

Here in the Instagram developer docs, it states:

https://www.instagram.com/developer/authorization/

Content Display for Personal Website. If you are a developer and you want to showcase Instagram content on a website, then you do not need to submit your app for review. By using a client in sandbox mode, you will still be able to access the last 20 media of any sandbox user that grants you permission.

So if you already have a client set up with Instagram, you should be able to continue to grab your posts from the API as long as you're in "sandbox" mode. You'll only be able to grab posts for your own user account or any that have given your sandbox permission (limit of 10).

If you don't already have an access token, you can use something like Oauth.io. (It's free.)

mspseudolus
  • 106
  • 2
  • 7