10

This is now the 4th time I am sending my app for review. I want to use Instagram Basic Display API and therefore require instagram_graph_user_media permission to access media (and incidentally instagram_graph_user_profile). I have 2 test users, my personal IG account with a bunch of pics and a test user that I created with an empty feed. I can login with both users. But when the Instagram app reviewer is logging in, my app can't access their media. I successfully retrieve the access token but when comes the time to call the Graph API here is what happens:

https://graph.instagram.com/me/media?fields=media_type,media_url,permalink,thumbnail_url&access_token=IGQV....

returns

{"error":{"message":"Application does not have permission for this action","type":"IGApiException","code":10,"fbtrace_id":"A99vuaAC41DSvlt0Hxvcly-"}} enter image description here

totten
  • 2,769
  • 3
  • 27
  • 41
standup75
  • 4,734
  • 6
  • 28
  • 49
  • I have the same issue. The guidelines offer absolutely no help with this. I did go ahead and create a test account for them to log in to, but my app was just now rejected because they got stuck on the Instagram authentication screen because the login attempt was seen as suspicious, and they needed to send me a unlock account email! – Parakoos Mar 04 '20 at 01:59
  • This is amazing. Glad I'm not alone... Trying to give them a test account. I'll probably just run into the same issue... – standup75 Mar 05 '20 at 16:11
  • I gave them the password and email login url for the email underpinning the test account. They are definitely using the test account btw. – Parakoos Mar 06 '20 at 20:33
  • Been almost 2 weeks now; I hope you been able to get your app approved. Have you? – DingDong Mar 11 '20 at 10:36
  • Yes, without changing anything, just had to submit it a certain number of times... (7 I think) – standup75 Mar 12 '20 at 18:34

7 Answers7

2

Here is an update from my latest app review rejection. This time, I added the code above to catch code 10 errors and if I did, try to fetch the user profile data. Guess what, that failed with a code 10 error as well. So, whatever the app reviewer is doing, it is granting access to neither the profile or the media API.

Another update. The reviewer I had this time sent me two screenshots, one of the Instagram login screen and one of my app's error screen. Interestingly, the Instagram login screen had a strange Instagram username that I have never heard of before. It certainly wasn't my test Instagram account. So I now have evidence of them both using my test account and their own special test accounts.

The question in my mind now is, is there something special about their test accounts that ruins the process? After all, I have not added them to be testers of my app, although if someone who hasn't accepted my test invite tries to log in, it errors in an entirely different way.

I am running out of ideas here. My next thing to try is to exchange the short-lived access token for a long-lived token, as well as trying to use the new access token to server-side (where I exchange the code for the access token) to check if the access token ever works or if it is created with insufficient access.

This whole process is a nightmare.

totten
  • 2,769
  • 3
  • 27
  • 41
Parakoos
  • 1,183
  • 6
  • 15
  • This is mind blowing. I'm sorry that you have to go through that pain, and also I'm so glad to hear that I'm not crazy... I tried to file a bug and it got rejected (see https://developers.facebook.com/support/bugs/139002590749841/) I asked the question to the support and it got ignored too (https://developers.facebook.com/settings/developer/community/) – standup75 Mar 09 '20 at 04:19
  • I reached out the FB developer group and the same person as in the FB support shut it down saying that tester have special account and basically I am doing something wrong (https://www.facebook.com/groups/fbdevelopers/2852493798127449/?comment_id=2860995207277308&notif_id=1583482160833845&notif_t=group_comment) I invite you to comment on these threads so we can try to finally get some attention on this. FB motto "move fast and break things" never made so much sense... – standup75 Mar 09 '20 at 04:19
  • Just got another rejection, this time what doesn't make sense is the screenshot they give me: https://scontent-sjc3-1.xx.fbcdn.net/v/t39.8008-6/87172874_204650223942760_2254285762231009280_n.png?_nc_cat=108&_nc_sid=a41860&_nc_ohc=tNJmXR5BJvkAX_pheVh&_nc_ht=scontent-sjc3-1.xx&oh=ed7631d27cd7b80c3ecea564b7ab6633&oe=5E929BF5 Oauth has nothing to do with Basic Display. I'm lost – standup75 Mar 09 '20 at 21:33
  • 1
    No, that makes total sense. What you are doing when you send the user to instagram to sign in is the start of the OAuth process. And I recognize that screen. It is what you get when someone who isn't one of your approved testers nor an app reviewer goes to the sign in page. You can easily replicate it. Do the sign in with an instagram account that isn't an approved tester for your app. – Parakoos Mar 10 '20 at 05:38
  • 2
    The craziest thing happened, I re-submitted the app for the 7th time (I think, might have lost track) and it got approved. Go figure. Literally didn't change anything in this submission. – standup75 Mar 10 '20 at 16:01
  • exchanging the short-lived for a long-lived token won't do either; I added this to my app since day one of submission. Then: their reviewers seems quite helpless. I have submitted 6/7 times now, you have to do some real (!) spoon feeding here. I created a website account (where my app is supposed to run), a separate Instagram account (imagine that!!), granted the test permission, added screencasts that include not only the video, but also typing live into text file, step by step. – DingDong Mar 11 '20 at 07:46
  • The ultimate question here: why do they (Fb/IG) allow a **user_media included into scope parameter**, if user can uncheck *Access your media* only to return a **code 10**? I mean, if 'username' and 'account type' are **Required**, then they still should at least return 'username' and 'account type' – DingDong Mar 11 '20 at 07:51
  • @standup75 have been fighting with this for quite some time nw. about the **insufficient developer role I can say that you have to make sure that the current Instagram user (actually you are logged in) should be added as App Tester (by invite) and he should accept the invite (IG/settins/websites & app/pending invites) – DingDong Mar 11 '20 at 07:54
  • True , This whole process is a nightmare. – nshah143 Jul 30 '20 at 05:48
1

I will put this as an answer because we have dealt with this thing now for over 2 weeks and quite a few submissions. I think you should remove the bounty though.

What you have done so far:

  • Created and approved IG test accounts
  • Double and triple checked parameters & permission
  • Tested your app a dozen times
  • Created dozens of screencast spoon-feeding, making sure a 5 yo kid would be able to test your app

Having the above, I am sure you noticed:

  • The reviewer will add a generic text as 'reject reason.'
  • The reviewer will submit the irrelevant and out-of-scope screenshot(s)
  • The reviewer will not test with the Instagram credentials provided.
  • Maybe he WILL test with the Instagram test credentials provided (in fact you're left in the dark as to how they actually simulate IG access)
  • The reviewer will claim he's unable to sign in using provided credentials
  • The reviewer claims having tested, but you see no traces in your DB whatsoever (would be smart to do so, to know whether they're actually doing something or not, up to a certain point)

Conclusion

You have to know that your app is at the reviewer's mercy and approval sometimes arbitrarily. Eventually, you will find your app being approved while having submitted it to change at all.

totten
  • 2,769
  • 3
  • 27
  • 41
DingDong
  • 75
  • 1
  • 14
1

This should be obvious but when you are so deep in the hole and try to think why your app is being rejected you stop thinking logically.

Here is what I did:

  1. Create a dummy Instagram account.
  2. Link this account to an email provider that doesn't require a phone/another way of verification (I used ProtonMail).
  3. Use an Instagram Tester account (do the whole process).
  4. In your instructions let the reviewer that they need to log in to ProtonMail to get the Instagram confirmation code; since they will do login from an unknown location (if you could simulate the above in your screencast that would be great, but I didn't do it).
  5. If you apply for both instagram_graph_user_profile and instagram_graph_user_media you need to do this in 2 steps individually.
  6. The second step getting the instagram_graph_user_media permission is much easier.

I lost a couple of days and tried everything and anything before I realized that.

Hopefully, this should help someone that is having the same problem.

The app was approved the first time.

krasenslavov
  • 355
  • 1
  • 4
  • 14
  • I can confirm this solution works fine. I've passed review for my Business API in one try (without any test accounts etc) but stuck on Basic API for 8 retries. I've provided test account (with proton mail on file) credentials for my 9th retry and pass it in 20 minutes. Ive requested all (both) basic permissions and app review at once. – 350D Aug 07 '22 at 08:53
0

It is possible that the App Reviewer is unchecking the instagram_graph_user_media access in the authentication screen, thus giving you only access to instagram_graph_user_profile. I had the exact same error code being thrown back my way, and I did the following:

  1. Catch the error code 10 error
  2. Try to fetch the https://graph.instagram.com/me?fields=account_type,username&access_token=${accessToken}
  3. If that works, then display a page that makes it clear that you have successfully connected to the Instagram User Profile (and here is your username and account type) but, if the user wants to do X they also need to approve media access, and here is a button to go and reauthenticate again.

See the image I have below.

Now, I did the above and I still got an app review failure of code 10, which means that the second fetch to only the username and account type failed, and I do not know how they could possibly have managed to do that.

enter image description here

totten
  • 2,769
  • 3
  • 27
  • 41
Parakoos
  • 1,183
  • 6
  • 15
  • Forgot to say, you can simulate your own code 10 by unchecking the Access your media checkbox. – Parakoos Mar 06 '20 at 20:48
  • Alright, things noteworthy in general and specifically about the Error Code 10... and you may want to look into it: 1) Implement what you request approval for! if your app requests 'scope=user_profile,user_media', then reviewer will want to see an implementation of the both, i.e.: - query user node (graph.instagram.com/{account_id}?fields=id,username,media_count,account_type&access_token={access_token}) and demo it. - query user's media graph.instagram.com/{account_id}/media?fields=id,media_type,media_url,username,timestamp&access_token={access_token} and load user's posts. – DingDong Mar 11 '20 at 09:15
  • 2) My most recent submission got me 'instagram_graph_user_media' approved, but 'instagram_graph_user_profile' rejected (right, the opposite). Maybe this shows that reviewers are not into it? 3) if your reviewer or you unckecks(s) 'Access your media' and then 'Authorize' button, your app will still be added as 'Authorized' under 'Settings->Apps and Websites' (Wait, what?!). Confusing, because: your app is approved, you are able to exchange short-lived with long-lived token (even get a proper expiry date of the long-lived token), but you receive Error Code 10. – DingDong Mar 11 '20 at 09:15
  • 4) A simple user node query with the valid long-lived token above will throw the error (Application does not have permission for this action) – DingDong Mar 11 '20 at 09:15
  • 5) If you submit for approval both features, 'instagram_graph_user_media' and 'instagram_graph_user_profile', then make sure your token request URL looks like api.instagram.com/oauth/authorize?client_id={client_id}&redirect_uri={your_redirect_uri}&scope=user_profile,user_media&response_type=code otherwise you WILL receive error Code 10 – DingDong Mar 11 '20 at 09:34
0

They admitted issue but not fixed yet: https://developers.facebook.com/support/bugs/543633182940083/

kPaha
  • 1
0

To get approved for Instagram Basic Display:

  1. create a Facebook test user
  2. create an Instagram account with that FB test user
  3. give the credentials (email/address) of the Facebook test user to the reviewer in the Instagram Basic Display submission
Al Wld
  • 869
  • 7
  • 19
0

Basic Display API review process is so bad its beyond words. I have been hitting the brick wall of their rejections for 3 weeks and almost got bald by pulling my hair in frustration. You really have to read between the lines to get a hint of what they are doing.

Turns out what the reviewer was doing is selecting "Continue with Facebook" on the Instagram Login screen and going that route (via Facebook login) instead of entering the instagram credentials directly. Only once I realized that I was able to pin point the problem. Interestingly though testing on the Simulator was fine but the problem only became apparent once I tested on the real device. The reason - simulator doesn't have neither Facebook app nor Instagram app installed, so it behaves differently versus the device where these apps get involved in the flow via deep linking.

The bottom line:

  1. Test on real device.
  2. Make sure to test both the direct Instagram log in and the "Continue with Facebook" option.
  3. Test on the device with and without the Facebook and/or Instagram app installed.
  4. Make sure to use brand new instance of WKWebView with non persistent data store to bring up the login screen, so that it doesn't have any cookies from previous logins:
        let configuration = WKWebViewConfiguration()
        configuration.websiteDataStore = WKWebsiteDataStore.nonPersistent()
        let webView = WKWebView(frame: .zero, configuration: configuration)
  1. Pray the God of your choosing.
Vadim Dagman
  • 331
  • 1
  • 7