Instagram API:范围是否适用于 OAuth2 隐式身份验证流程? [英] Instagram API: do scopes work with OAuth2 implicit authentication flow?
问题描述
我正在通过移动应用向 Instagram API 发出请求.目前,我只是将用户定向到 Instagram 身份验证 URL 并将响应类型指定为access_token".指定此 response_type 称为隐式身份验证.
I'm making requests against the Instagram API from a mobile app. Currently, I'm just directing the user to the Instagram auth url and specifying the response type to be "access_token". Specifying this response_type is known as implicit auth.
显式身份验证:response_type=code隐式认证:response_type=access_token
Explicit auth: response_type=code Implicit auth: response_type=access_token
我正在尝试避免需要建立 Web 服务以促进显式身份验证.这是必要的,因为在显式身份验证流程中,Instagram API 需要调用重定向 URL 并传入代码"参数.然后,我的服务器端代码将使用该代码向 Instagram 发出最终请求以获取访问令牌.
I'm trying to get around needing to stand up a web service to facilitate explicit auth. This would be necessary because in explicit auth flow, the Instagram API needs to make a call to a redirect URL and pass in a "code" parameter. The code would then be used by my server-side code to make a final request to Instagram for an access token.
移动应用程序使用隐式流的效率要高得多,因为不需要额外的私人维护的身份验证服务来处理它.
It's much more efficient for a mobile app to use implicit flow because no extra privately-maintained auth service needs to be stood up to handle it.
Instagram 支持以下范围:
Instagram supports the following scopes:
- basic - 读取与用户相关的任何和所有数据(例如关注/关注列表、照片等)(默认授予)
- comments - 代表用户创建或删除评论
- 关系 - 代表用户关注和取消关注用户
- 喜欢 - 代表用户喜欢和不喜欢项目
当我制定除基本"之外的任何其他类型的范围规范时,当用户在身份验证 URL 处提供凭据时,我会收到以下响应:
When I make any other type of scope specification besides "basic", I get the following response when the user provides the credentials at the auth URL:
{"code": 400, "error_type": "OAuthException", "error_message": "Invalid scope field(s): basic+likes"}
除基本"之外的任何范围组合都会给出相同的响应.
Any combination of scopes other than "basic" gives the same response.
所以,我的问题是:
- 是否需要显式身份验证才能指定基本"以外的范围?
- 是否需要指定 response_type=code 才能使扩展范围起作用?
- 这是 Instagram 的限制,还是 OAuth 2.0 的限制?
提前致谢.
推荐答案
这里的答案是是,隐式身份验证流程可以请求范围就好了.我的问题与我使用的 OAuth 组件有关.该组件以静默方式对范围参数的值进行 URL 编码,该值被 Instagram 身份验证端点拒绝.我更新了组件 (Xamarin.Auth) 以容纳非编码范围参数并发出拉取请求.
The answer here is that YES, scopes can be requested by implicit auth flow just fine. My problem was related to an OAuth component that I was using. The component was silently URL-encoding the value of the scope param, which was rejected by the Instagram auth endpoint. I updated the component (Xamarin.Auth) to accomodate a non-encoded scope param and issued a pull request.
感谢@krisak 提供了一个我可以测试的有效网址.
Thanks to @krisak for providing a working URL that I could test.
这篇关于Instagram API:范围是否适用于 OAuth2 隐式身份验证流程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
