Update to new Instagram APIs

[martincostello]

As raised in #435, Instagram has deprecated the API we have currently integrated against (copy of the announcement below).

By the end of September 2020, we will need to update the Instagram provider to use the new Basic Display API and/or Graph API so that the provider continues to work.

In the short term, users can workaround the change to the basic permission scope by changing their code to register the provider as below:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(options => { /* Authentication options */ })
            .AddInstagram(options =>
            {
                options.ClientId = "your client Id";
                options.ClientSecret = "your client secret";

                // Remove the built-in 'basic' scope
                options.Scope.Clear();
            });
}

This will remove the scope the provider registers by default:

AspNet.Security.OAuth.Providers/src/AspNet.Security.OAuth.Instagram/InstagramAuthenticationOptions.cs

Line 28 in 02e5017

Scope.Add("basic");

Annoucement

UPDATE
The remaining Instagram Legacy API permission ("Basic Permission") was disabled on June 29, 2020. As of June 29, third-party apps no longer have access to the Legacy API. To avoid disruption of service to your app and business, developers previously using the Legacy API should instead rely on Instagram Basic Display API and Instagram Graph API. Please request approval for required permissions through the App Review process.

Legacy API user identifier available on Basic Display API until September 30, 2020
To assist with migration, we have temporarily made the unique user identifier from the Legacy API - ig_id - available on Basic Display API. However, the ig_id field will be deprecated on Basic Display API on September 30, 2020, so please ensure you are using other fields (e.g. the Facebook "id" field) or your own unique identifier for your users. See our developer documentation here to learn more.

User Token Generator
If you're only using the Legacy API to generate tokens in order to display your Instagram Feed on a personal website, you can use the Instagram Basic Display API's User Token Generator to continue generating tokens. The User Token Generator does not require App Review, but it will only work for your owned Instagram accounts (i.e. accounts for which you know the login credentials). Refer to the developer documentation here to learn more. If you're using the Legacy API to display multiple accounts on your website, then you must apply for permissions to Instagram Basic Display API via App Review. If you're using the Legacy API for any other use case, you must apply for permissions on the Instagram Graph API platform via App Review.

More Tips
For more guidance on getting through our App Review process, please see this blog post. For more tips and tools, check out our App Review Rejection Results Guide, Common App Review Rejection Reasons and Developer Tools page. We also encourage you to leverage the Facebook Developer Community Forum - it's a tremendously helpful resource for communicating and connecting with developers across the world.

[mateolevy]

Martin, just FYI Instagram states that their API should not be used from now on as an authentication method as noticed in: https://developers.facebook.com/docs/instagram-basic-display-api

Limitations
Authentication
Basic Instagram visualization is not an authentication solution. The data returned by the API cannot be used to authenticate users of the application or to log in to the application. If you need an authentication solution, we recommend that you use the login with Facebook.

Even though they claim that, you COULD still update the nuget to use the new API to authenticate. The problem is they now have a strict validation process to let you use their API in production which involves sending them videos explaining how are you using their API. Maybe it is time to consider deprecating the instagram OAuth nuget.

Let me know your thoughts!
Mateo

[martincostello]

Ah, interesting. I hadn't thoroughly read the documentation yet.

If that is indeed the case that it shouldn't be used for OAuth authentication, then we probably would deprecate it. I'll make a more informed assessment when I take a look at the documentation properly.

Thanks Mateo 👍

[lukefulliton]

My research and review of the new Instagram Basic Display APIs also confirms what @mateolevy mentioned above. It looks like the OAuth authentication for Instagram has been deprecated. Here is a helpful blog post from Facebook about this Instagram change. https://developers.facebook.com/blog/post/2020/03/10/final-reminder-Instagram-legacy-api-platform-disabled-mar-31/

Here is a quote from the blog
"Mistake #1: Your app uses Basic Display API for authenticating users".
"Tip: Make sure your app provides a login option that does not use Basic Display API, such as your own in-house login flow or Facebook Login."

Thanks ALL for the help and insight into this issue.

[martincostello]

Just taken the time to look myself, and yep, indeed looks like OAuth with Instagram is no longer a thing.

@kevinchalet - shall I delete the Instagram provider from the code base and add something to the README to that effect that it's now deprecated and obsolete? We could also mark the NuGet package as deprecated.

[kevinchalet]

@martincostello I'm not familiar enough with Instagram (for which I don't even have an account 😅), but if I read the link @lukefulliton shared correctly, it seems they still support OAuth 2.0 for pure authorization (which is its original role). While our handlers are generally used for authentication (well, pseudo-authentication, as OAuth 2.0 is not an authentication protocol, unlike OpenID Connect), people can also use them to perform actions on behalf of the users thanks to their SaveTokens option, which is exactly what OAuth 2.0 is made for.

Maybe we shouldn't deprecate the package but just tell folks that Instagram doesn't want them to use it as a login mechanism?

[AraHaan]

hmm or deprecate it and warn on package consumption (on package restore / update) that they do not want it to be used as a login mechanism?

That way it ensures that they have actually read the notice clear as day.

[martincostello]

See #461 for updates to the provider.

I have also added some documentation for the Instagram provider here.

[Mike-E-angelo]

Hi all... looking into this. And I am so very confused. 😅 I did see that it's deprecated, but the Instagram Display API Application that is created has the look and feel of an Oauth2 application, complete with callback URIs and the lot.

Additionally, the endpoints still all work. Although, I am getting a 400 error with invalid scopes message when I use it (that's what led me here):

{"error_type": "OAuthException", "code": 400, "error_message": "Invalid scope: []"}

If the API is not meant for authentication, why does it still have these endpoints and all the configuration fixings for it? Thank you for any clarification/insight you can provide. Facebook-based support is abysmally absent and is nearly impossible to find answers anywhere. Sort of shocking when you consider the scale/size of the organization.

[martincostello]

The short answer is that I don't know.

I haven't used the provider beyond testing the changes for the previous deprecation worked. Maybe Instagram have changed something that means that a scope of some kind is required?

You'd have to consult the documentation they provide to see what's changed.

With so many providers, we can't keep up to date with them all as the services evolve over time, particularly the ones we don't use in our own projects. For example, I only personally use the Amazon, Apple, GitHub and Okta providers.

[Mike-E-angelo]

With so many providers, we can't keep up to date with them all as the services evolve over time

I totally get that @martincostello, thank you for your reply here. I am feeling a little overwhelmed with the number of providers I have implemented, myself. 😅 I did a bunch of searching for the 400 error before posting on here, but it was an interesting find here that the package was almost deprecated. All the pieces seem to be there, but this weird scope error. I will continue searching. Thank you again for the assistance.