Ask HN: Does anyone else have problems with Instagram API OAuth2? - svens_
======
xmrcivicboix
To temporary fix the issue, you could do the following:

change response_type=code to response_type=token. Instagram will redirect back
to your site with something like /callback#access_token=123456. From here,
send the user to a very simple page with the following snippet:

<script>

    
    
        if (window.location.hash && window.location.hash.indexOf('#access_token=') !== -1) {
            var accessToken = window.location.hash.replace('#access_token=', '');
            window.location = '/callback?access_token=' + accessToken;
        }
    

</script>

After that, you just use the Instagram API to retrieve user by access token
then perform log in. This is not a recommended flow by Instagram but is a flow
that works for now if your customers are constantly hammering you with support
tickets as they did with us.

~~~
AlexWhite_
This solution is insecure. Any person can intercept token and make harm to
your application.

~~~
svens_
It doesn't seem too bad when enforcing https (using the return address
whitelisting in the developer console). Am I missing something?

~~~
AlexWhite_
Customer will see token anyway

~~~
svens_
Ah yes, of course. I did miss that. The implicit (client-side) auth flow gets
the access token directly and doesn't need another request to the API, that's
the whole point.

This is indeed rather unwanted, even more so with the new more restrictive API
usage policy and the sandbox.

------
stefl
I've managed to work around this by changing the API host name from
'api.instagram.com' to 'www.instagram.com' for the Oauth authentication flow.

Here's my fork for the omniauth-instagram Ruby gem, which is now allowing me
to consistently log in: [https://github.com/stefl/omniauth-
instagram/blob/master/lib/...](https://github.com/stefl/omniauth-
instagram/blob/master/lib/omniauth/strategies/instagram.rb)

~~~
oblachniy
For me it doesn't works. I changed from 'api.instagram.com' to
'www.instagram.com' for the Oauth - have one "302 redirect" back to my site
with "error 400". Strange...

~~~
imack
Ditto here, it comes and it goes, but I can see this switch doesn't help our
overall fail rate.

~~~
stefl
Okay, thought I'd mention it because it's had such a significant effect for
me. So that possibly means that in my case the Auth0 <-> Instagram connection
is something to investigate further.

~~~
edoron
Same here, made the change a couple of days ago and saw no change in failures.

------
grantmojo
We started having same issue since last Friday (Dec. 15, 2016) after working
fine for months. Same user can login via oauth on one wifi, but not on the
other, or even on mobile cellular network. And even when it worked on that
wifi at one point, it does not work at other times. We have not found a
workaround to fix this, reported to Instagram 24 hours ago, waiting...I tried
to login to my account on instagram.com first, then go back to our site,
browser would log in automatically. So far, we don't have a solution yet.

~~~
grantmojo
Update: as of now, All of our accounts are magically working. I did asked my
facebook friends to pass the issue's urgency to Instagram team.

~~~
svens_
Just checked again, we're still seeing issues. I can reproduce, simply by
using my personal account in a private window, it randomly fails in at least
one of our environments (e.g. prod, staging, localhost).

~~~
grantmojo
It was working for us for the most of the day, but now acting up not working
again...

------
silencekit
I reported this to a contact at Instagram and they said they are aware of the
issue. They don’t have an ETA for the fix yet, but they are looking into it.
It's just odd that it seems so random with all of our customers.

~~~
tavosansal
Have you heard anything back from your contact at all?

------
krisrak
I'm creator of [https://picodash.com](https://picodash.com), I noticed the
same issue about a week ago but did not get any complains from my customers,
so debugged it for 8 hours until I found this (I know it will be hard to
believe):

I kept getting "Matching code was not found or was already used." when using
thru my oauth python code which btw has been working for 6 years now. But when
I used curl to do POST, it worked, when I tried Curl again with same oauth
code, it failed, So I think this is something that was recently changed by
Instagram, the oauth code only works one time, I kind of remember this code
could be used more than once before to make POST call, but there was time
limit instead, after which using same code was failing.

So with me, this was always failing, but no complains from my customers, I
could see logs that new people were signing up.

I started testing on localhost, I added debug logs, I did notice that there
was 2 POST calls being made, so it was failing. I could see that 2 POST calls
was made and first one did work and get access_token, but there was a second
call made and this was error 400 and oauth flow was failing. Almost looked
like a retry of POST call, cause my code should only make one.

I started trying different browsers, failed on all firefox,IE, safari, chrome.
And then decided to try on my iphone, it worked 100%, so looked for
difference, it was on LTE, so I guessed may be my wifi, switched to wifi on
iphone and it started failing 100%. So now on my dev system, I connected modem
directly to system without router and tried, it passed 100%, so it was my
wireless router (I know weird), I tried another 3rd party instagram web app,
had same issue but worked without the wireless router. So on Monday I got
another wireless router and no issues, it started working. So this could be an
isolated incident for me, I came to conclusion that I was using some old
router that was dropping POST request and making second attempt and failing.

So I guess if this is affecting all your customer check you code by putting
logs that you are making one POST request. Try making a CURL after you receive
the code and make sure it is working on first attempt.

Today after reading this, I check my oauth login again, I did notice it fail
few times, but when I try again, it is passing, so something changed again I
think.

~~~
svens_
Sorry, but this is definitely not a hardware, connection or session issue.
Just check the rest of the thread. We're seeing issues over various links
(broadband, mobile, datacenter) on different server locations (AWS vs. on dev
machine) with or without private mode / logging out and then in.

I honestly wish it was something like this, at least then we could fix it.

The double POST requests you see is most probably because api.instagram.com
returns a 302 response ("Found", i.e. redirect). This is a relatively recent
change, but still weeks before those issues started.

By the way, your server refuses connection when you go to
[https://picodash.com](https://picodash.com) directly (without www.). You
might want to fix this.

------
sodbileg
Some of our customers have complained how they were having issues with logging
in with their account a few days ago. We've tested it on our end and it was
working without any issue. However, we encountered the issue yesterday and
still having it. However, a very few customers are not having any issue.
Really weird and annoying. Reported to Instagram, still no feedback.

------
AlexWhite_
What we know at this moment:

1\. It not depends on IP of API server behind instagram load balancer 2\. It
appears on ipv4 and ipv6 both 3\. Problem not depends on delay between request
code and exchanging this code for token 4\. Logout and login helps sometimes

------
bob6664569
Has somebody any news regarding this issue ? I'm facing it too since some
days... Quite randomly, seems to depend on device used and/or IP ... And maybe
the alignment of stars.

------
chrisan
Same problem on our end. Some environments work for some users and not for
others. Have tried all the StackOverflow suggested answers with no luck.

Reported issues but haven't heard back

------
fdim
I've started having the same issue yesterday as well, noticed few times before
but it was happening 'sometimes', now it happens all the time. Only workaround
is to switch to implicit oauth as @xmrcivicboix suggested

~~~
grantmojo
Instagram has fixed the issue, at least it appears to be the case to us.

~~~
alpcan
Are you sure about that? We're still getting this error.

~~~
grantmojo
at the time of my last writing, i was sure as all accounts are working fine.
But today, it started acting up again. Now I had to change up to different
wifi to login with Instagram.

------
carrja99
I cannot get ahold of Instagram! This is impacting a lot of our users and
there seems to be no channel of communication!

------
Kn4ppster
Still not working here (explicit auth). Every attempt is failing with the
error 400: Matching code was not found or was already used.

------
tavosansal
May I ask if you guys have a link to where you reported this issue? I am
having the same problem.

~~~
AlexWhite_
[https://www.instagram.com/developer/clients/manage/](https://www.instagram.com/developer/clients/manage/)

"report issue" button

------
widgetic
It happens for us as well, it started this week. Lots of users complaining.

------
phiisland
In our case, it seems that most of our customer facing this issue is using
business profile, any others checked this?

~~~
frangarcia
Not my case, I am having some problems with "normal" user accounts. Currently,
it seems that logging out and login again fixes the issue.

------
krisrak
I got reply from Instagram that they are aware of issue and working on it.

~~~
grantmojo
Nice. I find this issue is resolved. All of our accounts are magically
working.

------
turncoat
Having the same issue since a few days

------
svens_
Currently I'm seeing a lot of 400 errors: "Matching code was not found or was
already used."

~~~
AlexWhite_
We at smartmetrics.co experience the same issue. We noticed that issue
affected not everybody, many customers still can use oauth. We contacted
Instagram and Facebook support but got no answer.

~~~
svens_
Pretty much our experience. We didn't figure out what caused it, the same
Instagram account sometimes works and sometimes doesn't without a change in
code on different instances.

Apparently it happens from time to time, there are some posts about this
problem on StackOverflow. No answers though.

We tried many things, including resetting our secret. It's working now, but
it's hard to tell whether our actions had any effect.

~~~
AlexWhite_
Looks like now it's working for all accounts. We haven't reset client secret.
Hope Instagram fixed this.

~~~
svens_
Unfortunately we're seeing issues again. So it really didn't help or the
effects have weared off by now.

It's a bit frustrating with no reaction from Instagram/Facebook and not even
an entry on the status page.

~~~
AlexWhite_
The same for us

------
sodbileg
Any response from Instagram?

------
sandes
Same problem

------
oblachniy
Same problem

------
edoron
Same problem here.

------
dmitryvolinec
today all work nice!

------
scrown
Same problem

~~~
grantmojo
should be fixed, check now.

------
frangarcia
We are having the same issue. Really annoying that it works for some users and
for some others doesn't. Even same user sometimes works sometimes doesn't.

------
frangarcia
I have just tried different environments we have with different users that
were consistently failing last week (even this morning) and I have been able
to get an access token using the server approach. Can anybody else test with
their apps if the problem is fixed for you? Fingers crossed.

~~~
silencekit
What exactly is the server approach?

------
dekaikiwi
We're experiencing the same issue here. Reports from multiple clients over the
last few days. Surely enough checking the logs yields an invalid_credentials
error.

Trouble is, we can't faithfully reproduce the issue from our network, but
clients are reporting failures to authenticate every time they try!

Have contacted Instagram for an update. Anyone else still experiencing the
issue?

~~~
alpcan
Same here, we are still getting this error.

~~~
grantmojo
I think everyone posted, replied under this thread (and many other
stackoverflow threads) experienced the same issue. The issue seemed resolved
for us just yesterday for a day, but today, it started acting up again, had to
switch up wifi to log into Instagram. We also added email login after this
incident.

------
jordipolo87
Anyone know if the problem has already been solved?

Thank you!

~~~
frangarcia
Not sure if the issue has already been solved but I have tried with different
accounts in different environments we have for our app and it was working fine
for all the accounts. Previously, it was very easy to reproduce the problem.
Fingers crossed!

~~~
svens_
Same here, no problems anymore for more than two weeks now.

~~~
jordipolo87
Thank you guys! ;) We will disable the client side authentication. If we
encounter problems again I will comment.

