This article introduces the official documentation of application registration and authorization. The next article is a demo

The words written in the front

You will be surprised to find that the entire authorization process, there is no need to integrate SDK, even, almost no need to write code, which is completely different from wechat, Sina, QQ authorization

Registered account

Start by signing up and logging into your Instagram account

Sign up for an account

Sign up for your app

Official Instagram developer docs

  1. Click the green button in the upper right corner to Register a New Client

If you haven’t registered your app, the red box is empty, so I’ve already registered two apps

  1. Create an app

Enter the Valid Redirect URI Redirect URIs

  1. Click on the MANAGE button

  1. Click the Security TAB

There are two modes of authorization, one is server-side authorization (recommended and secure) and the other is client-side authorization (the front-end of app can get the authorization token without the server-side, but it is not safe and not recommended).

We are demonstrating the demo of client authorization first, so this check box must be unchecked, if checked, the client authorization mode will not take effect, and an error will be reported

Click the Update Client button at the bottom of the page to make the changes take effect

  1. Click the Sandbox TAB

  1. Click the Permission TAB

Here, your application is completed, pay special attention to the above mentioned, the key part, if you do not pay attention to the pit, the key point again

  • Valid redirect URIs:
  • Disable implicit OAuth:
  • Sandbox Mode

Read the authorization process documentation

Please read this official document carefully

No article can compare with official documents. English is also necessary to read

It is recommended to read this document at least briefly. If you don’t want to read it, you can go to the next one.

authorization

The Instagram API uses the OAuth 2.0 protocol for simple but effective authentication and authorization. OAuth 2.0 is easier to use than previous solutions, and developers can start using the Instagram API almost immediately. One thing to keep in mind is that all requests to the API must be made through SSL (https:// instead of http://).

Do you need validation?

The Instagram API requires authentication – specifically requests made on behalf of users. Authenticated requests require an access_token. These tokens are unique to the user and should be stored securely. The access token may expire at any time in the future.

Receive access_token

To receive an access_token you must do the following:

Direct users to our authorized web site.

  • If the user is not logged in, they are asked to do so.
  • Users will be asked if they want to grant your app access to their Instagram data.

You can get user authorization in two ways:

Server-side process (recommended) : Redirect the user to the URI of your choice. Gets the supplied code parameters and exchanges the access_token by Posting the code to the access_token URL.

Implicit flow (not recommended) : Instead of working with code, we include access_token in the URL as a fragment (#). This approach is less secure, but allows applications that do not have any server components to receive an Access_token.

Even if our access token does not specify an expiration date, your application should handle situations where users revoke access or Instagram expires the token after a certain period of time. If the token is no longer valid, the API response will contain “error_type = OAuthAccessTokenException”. In this case, you need to revalidate the user to get a new valid token.

In other words: Don’t assume that your access_token is always valid.

** Server-side (explicit) processes **

Using server-side processes is simple. Just follow these steps:

Step 1: Direct users to our authorized web site

Api.instagram.com/oauth/autho…

The client-id and redirect-URI fields are the same as those of the application you are applying for

Note: You can provide optional range parameters to request permissions beyond the “basic” range of permissions. Understand the scope in detail.

Note: You can provide optional state parameters to perform server-specific state. For example, you can use it to prevent CSRF problems.

At this point, we present the user with a login screen, followed by a confirmation screen that grants your app access to their Instagram data.

Step 2: Receive redirects from Instagram

After the user authorizes your application, we issue a redirect to your redirect_URI and use the code parameters in step 3.

http://uri CODE of your redirect = CODE

Note that the host and path components of the redirected URI must exactly match the redirecT_URI you registered (including trailing slashes). If you need to change the behavior dynamically, you can also include additional query parameters in the provided redirecT_URI. Example:

The form that tells you that when you register, the URI must be the same as the URI you use, and if you want parameters, follow the form below

If the user rejects your approval request, we will redirect the user to your redirecT_URI using the following parameters:

  • Error: access_denied
  • Error_reason: user_denied
  • Error_description: The user rejected your request

In this case, it is your responsibility to fail gracefully and display the appropriate error message to your users.

Step 3: Request access_token

Now you need to exchange the code you received in the previous step for an access token. To do this exchange, you simply POST this code, along with some application identity parameters, to our Access_token endpoint. These are the required parameters:

  • Client_id: indicates the ID of your client
  • Client_secret: Your client’s secret
  • Grant_type: authorization_code is the only value currently supported
  • Redirect_uri: The redirect_URI that you use in authorization requests. (Note: This must be the same value as in the authorization request.)
  • Code: The exact code you received in the authorization step.

If successful, this call returns a neatly packaged OAuth token that you can use to make authenticated calls to the API. We also include the user we just verified for you

Client (implicit) authentication

If you are building an application without a server component (such as a pure javascript application), you will notice that you cannot complete step 3 above to receive your Access_Token without storing the key on the client. You should never pass or store the Client_id key to a client. For these cases, there is an implicit authentication process.

Step 1: Direct users to our authorized web site

Api.instagram.com/oauth/autho…

Replace the uppercase part

At this point, we show the user a login screen, followed by a confirmation screen, where they grant your app access to their Instagram data. Note that unlike explicit flows, the response type here is “token.”

Step 2: Receive the access_token through the URL fragment

Once users are authenticated and authorized to your application, Instagram redirects them to your Redirect_URI using the Access_token in the URL fragment. It looks something like this:

Just get the access_token from the URL fragment and you’re done. If the user chooses not to authorize your application, you will receive the same error response as in the explicit process