So I noticed that apps like Tinder can show Instagram connect of lets say, User A on everyone else's phones even without requiring other users to actually sign into instagram.
For example: User-A connects instagram and gets access token. Users-B, C, D... can see A's public & private pictures without even logging into instagram.
Is there a way to view another user's instagram without requiring access token - even private pictures by just using CLIENT_ID?
5 Answers
Answers 1
The previous answer is way too confusing... so let's handle it in a easy way, according to your question.
Let's start from understanding, what is access_token, in their API, in API requests alike:
api.instagram.com/v1/users/self/media/recent/?access_token=%@
Working through API, receiving this access_token still requires granting of access, and Authentication (see the manual on Receiving an access_token). As you can read there, all the possible options still require authenticated access.
Even though our access tokens do not specify an expiration time, your app should handle the case that either the user revokes access, or Instagram expires the token after some period of time. If the token is no longer valid, API responses will contain an “error_type=OAuthAccessTokenError”. In this case you will need to re-authenticate the user to obtain a new valid token. In other words: do not assume your access_token is valid forever.
This is standard authentication process in programming, with the access tokens, session identifiers, etc.
The world has been living with OAuth 2.0 Authorization Protocol for a long time, you are not the last guy who's concerned about it. If you are sleeping fine knowing about theoretical Session hijacking, then you shouldn't worry that much about potential security issues related to usage of APIs by access tokens.
It's secure enough. Aha, and another "small thing", I forgotten to mention: all requests to the Instagram API must be made over SSL (https:// not http://), which adds even more confidence.
To answer explicitly your question:
"is there a way to view another user's instagram without access token - even private pictures by just using CLIENT_ID?"
No, there's no possibility. Security token is the thing, which requires granting of access, and authentication. If it would allow this kind of access - this would be counted as security vulnerability. This is the basics of OAuth mechanism. If you need more understanding, you may read here, in a simple language, how OAuth is an authentication protocol works.
Answers 2
Let's not make confusion. Tinder user can opt-in for sharing Instagram photos. Tinder has no worldwide access to Instagram photos. I will answer you from the security perspective, as I have never tried setting up a Tinder account with Instagram connection to test the scenario for you.
Access token is embedded in Tinder app code, you may find it or not if you decompile the code, according on the level of obfuscation, and almost certainly if you use software such as mitmproxy. I won't discuss such a practice here.
So Tinder client is granted a token to access user's pictures.
Two cases:
- User opts in on Tinder/Instagram to access his private photos. The token is valid for those private photos. If you steal Tinder's token you can access any Tinder-Instagram user's private photos. That is not bad. User has chosen to share private photos to the world. But if an Instagram user is not a Tinder user be sure that you won't get anything
- Tinder will only fetch public photos. It will be just like anonymously browsing one's Instagram profile
Please mind that the token is valid for Tinder application, and is not user A's token. This is forbidden by security practices.
By associating your Tinder account with Instagram you grant Tinder's already-issued token to access your photos on behalf of you.
Summarizing:
- Tinder client - Actor
- Instagram - Resource server
- User A's photos - Resource
- User B (on Tinder, not on Instagram) - not an actor in the workflow
- Token issued to Tinder: access to any (public or private??????) photos of users who have opted in to share Instagram photos on Tinder
Note: Tinder client may or may not use an Instagram-issued token. From a general security point-of-view, there are two implementation scenarios:
- Tinder client contacts Instagram server with a token that is issued to Tinder application and encoded in all clients
- PRO: bandwidth is charged to user only
- CON: exposing the token may grant one to access any Tinder-Instagram user photos without passing by Tinder
- Tinder app requests Tinder server to fetch photos from Instagram. Tinder client only authenticates with Tinder server
- PRO: more secure design. Tinder-to-Instagram token never exposed. If a user leaves Tinder he can't access Instagram photos of other Tinder users
- CON: Tinder server will be charged for the bandwidth needed to retrieve and distribute photos. This exposes Tinder to a potential violation of Instagram API ToS if they start caching the photos
Answers 3
Personally, I would avoid OAuth at all costs, it is too much work if you're just retrieving public data. Instead, I would write a curl script to grab the public Instagram data from the user's profile URL, and parse the HTML server-side, before ever considering OAuth.
Here's a quick mock-up example in PHP, using file_get_contents and DOMDocument:
$doc = new DOMDocument(); $doc->preserveWhiteSpace = false; //HTTP GET someone's profile $doc->loadHTML(file_get_contents('https://www.instagram.com/profile_xxxxxx/')); $selector = new DOMXPath($doc); //Instagram stores image URL's in meta tag "og:image" foreach($selector->query('//attribute::*[contains(., \'og:image\')]') as $e) { //Store profile photo from DOMNode $e $photourl = $e->getAttribute('content'); //Grab profile photo file_get_contents($photourl); } Answers 4
If you have an app which people grant access to Instagram, such as Tinder, then there are two simple methods you can use.
You can store the access_token and, so long as they are valid, pull their pictures at any time. In this case to display to other users on your app.
Otherwise you can copy images onto your own app. This is most useful for pulling display images, as you do not want to call the API every time you display their profile image, for example. If you downloaded ALL images, you would still need a valid user access_token to fetch new images.
If your app stores the access_tokens for all users whom granted you access then you can fetch all images at any time.
Answers 5
Let's consider that Instagram User Profiles pages like ISS page are available online without any authentication access:
https://www.instagram.com/iss/
Due to how Instagram works, only public images will be showed here (plus posts, followers, following).
So what you have to do is to get the page data. To do this you can use several solutions like PhantomJS that is as little as writing
var page = require('webpage').create(); page.open('https://www.instagram.com/iss/', function() { var contents=page.contents; // here is the page contents phantom.exit(); }); So, assumed you can execute this process on server-side you could provide those public profile images as a JSON object in a api response. Of course it's a little bit more complicated than this (i.e. you have to wait page resources to be loaded within PhantomJS, but at the end the web scraper can temporary save the page and turn it into a json structure, with <img/> source images, etc. ready to be showed in a app.
0 comments:
Post a Comment