Instagram API:作用域可用于OAuth2隐式身份验证流吗? [英] Instagram API: do scopes work with OAuth2 implicit authentication flow?
问题描述
我正在通过移动应用程序针对Instagram API发出请求.目前,我只是将用户定向到Instagram身份url,并将响应类型指定为"access_token".指定此response_type称为隐式身份验证.
I'm making requests against the Instagram API from a mobile app. Currently, I'm just directing the user to the Instagram auth url and specifying the response type to be "access_token". Specifying this response_type is known as implicit auth.
显式身份验证:response_type =代码 隐式验证:response_type = access_token
Explicit auth: response_type=code Implicit auth: response_type=access_token
我正试图解决需要站立一个Web服务来促进显式身份验证的问题.这是必要的,因为在显式身份验证流程中,Instagram API需要调用重定向URL并传递"code"参数.然后,我的服务器端代码将使用该代码向Instagram发出最终请求以获取访问令牌.
I'm trying to get around needing to stand up a web service to facilitate explicit auth. This would be necessary because in explicit auth flow, the Instagram API needs to make a call to a redirect URL and pass in a "code" parameter. The code would then be used by my server-side code to make a final request to Instagram for an access token.
移动应用程序使用隐式流的效率要高得多,因为不需要额外的私人维护的身份验证服务来处理它.
It's much more efficient for a mobile app to use implicit flow because no extra privately-maintained auth service needs to be stood up to handle it.
Instagram支持以下范围:
Instagram supports the following scopes:
- 基本-读取与用户相关的所有数据(例如 跟随/跟随的列表,照片等)(默认情况下被授予)
- 评论-代表用户创建或删除评论
- 关系-代表用户关注和取消关注用户
- 喜欢-代表用户喜欢和喜欢的商品
- basic - to read any and all data related to a user (e.g. following/followed-by lists, photos, etc.) (granted by default)
- comments - to create or delete comments on a user’s behalf
- relationships - to follow and unfollow users on a user’s behalf
- likes - to like and unlike items on a user’s behalf
当我进行除基本"以外的任何其他类型的范围说明时,当用户在身份验证URL上提供凭据时,会收到以下响应:
When I make any other type of scope specification besides "basic", I get the following response when the user provides the credentials at the auth URL:
{"code": 400, "error_type": "OAuthException", "error_message": "Invalid scope field(s): basic+likes"}
除基本"范围外,任何范围的组合都将给出相同的响应.
Any combination of scopes other than "basic" gives the same response.
所以,我的问题是这些:
So, my question are these:
- 是否需要显式身份验证才能指定超出基本"范围的范围?
- 我是否需要指定response_type = code才能使扩展范围起作用?
- 这是Instagram的限制,还是OAuth 2.0的限制?
- Is explicit auth required in order to specify scopes beyond "basic"??
- Do I need to specify response_type=code in order for extended scopes to work?
- Is this an Instagram limitation, or is it a limitation of OAuth 2.0?
谢谢.
推荐答案
此处的答案是是,隐式身份验证流可以很好地请求范围.我的问题与我使用的OAuth组件有关.该组件正在对URL范围参数的值进行无提示URL编码,该值被Instagram auth终结点拒绝.我更新了组件( Xamarin.Auth ),以适应非编码范围参数并发出拉取请求.
The answer here is that YES, scopes can be requested by implicit auth flow just fine. My problem was related to an OAuth component that I was using. The component was silently URL-encoding the value of the scope param, which was rejected by the Instagram auth endpoint. I updated the component (Xamarin.Auth) to accomodate a non-encoded scope param and issued a pull request.
感谢@krisak提供了我可以测试的有效网址.
Thanks to @krisak for providing a working URL that I could test.
这篇关于Instagram API:作用域可用于OAuth2隐式身份验证流吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
