3

According to Instagram Developers documentation, the access token returned to the redirect callback URL comes as a fragment in the form:

http://your-redirect-uri#access_token=ACCESS-TOKEN

The vast majority of web servers WILL NOT receive anything that follows the # in the uri, therefore the access token will be stripped and lost before it gets to the server that is ready to redirect.

I think this is a major limitation from the Instagram Authentication stack that has been present since the first version and I see no other solution than to solve it in the browser directly with JS or JS libraries.

Is there a way to get the access token as any other social network API supporting OAuth2 does, like so:

http://your-redirect-uri&access_token=ACCESS-TOKEN

This way, I would have a normal url param, which is handleable by probably any modern web server.

source: http://instagram.com/developer/authentication/

rvegas
  • 78
  • 5

1 Answers1

1

To answer your question, there is no way to do this. And, if you're interested in why this is not possible, it's for several security reasons, for example, hashes will be not be passed to server-side; thus, they can't be parsed and saved for later use. However, there is always JavaScript that can pass the hash to server-side.

So, JavaScript can parse the hash, The access token can be used for only-JS applications (ones don't have server-side) Like apps that directly use the access token to communicate with API. Another reason is that if you request code from the oAuth dialog, you will be required to send code along with your API secret to Instagram to exchange it with the access token, this is not possible with JS to prevent the API secret from compromising.

A workaround is to use JavaScript to parse the hash, then pass it to your server-side through AJAX.

Community
  • 1
  • 1
Adam Azad
  • 11,171
  • 5
  • 29
  • 70
  • So the only way is to not use a server at all? – rvegas Nov 27 '15 at 11:07
  • And why would you say it's security reasons when every other social network API does the right thing? – rvegas Nov 27 '15 at 11:08
  • I am trying to limit your options here, but you have two options; either request the `code` and then request access token from the API, or request access token directly then pass it back to your server with JS :). The security sections is to prevent accessing the server the access token directly (although there's the JS hack I linked) – Adam Azad Nov 27 '15 at 11:30