Instagram Client Side Authentication using Python

Question

I am currently working on a bottle project and will be using Instagram api. I was hoping to use the client side authentication however I am having problems with the access token as it does not returns as a parameter.

I am making the request here:

https://api.instagram.com/oauth/authorize/?client_id=client_id&redirect_uri=redirect_uri&response_type=token&scope=basic+follower_list

The app is redirected to token page correctly and I can even see the token in the url. But when I try to parse it, it comes out empty.

@route('/oauth_callback')
def success_message():

token = request.GET.get("access_token")

print token.values()
return "success"

The token.values() returns an empty list.

ps: Keep in mind that when I try to do the same operation with server side authentication, I can successfully get the code and exchange it for a token.

Answer 1

Once you make a query to Instagram api you must be receiving below response?

http://your-redirect-uri#access_token=ACCESS-TOKEN

the part after # is termed as fragment and not query_string parameter and there is no way you can retrieve that information on Server side in Bottle.

To actually get fragments, bottle.request.urlparts is used

urlparts

The url string as an urlparse.SplitResult tuple. The tuple contains (scheme, host, path, query_string and fragment), but the fragment is always empty because it is not visible to the server.

Use the SDK and preferably Server Side operations -> https://github.com/facebookarchive/python-instagram

If you will to go with this approach, then managing a JavaScript which parses the access-token and then posts to your bottle api for your consumption which I don't recommend...

From https://instagram.com/developer/authentication/

Client-Side (Implicit) Authentication

If you are building an app that does not have a server component (a purely javascript app, for instance), you will notice that it is impossible to complete step three above to receive your access_token without also having to store the secret on the client. You should never pass or store your client_id secret onto a client. For these situations there is the Implicit Authentication Flow.