Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Does anyone else have problems with Instagram API OAuth2?
19 points by svens_ on Dec 14, 2016 | hide | past | favorite | 75 comments

To temporary fix the issue, you could do the following:

change response_type=code to response_type=token. Instagram will redirect back to your site with something like /callback#access_token=123456. From here, send the user to a very simple page with the following snippet:


    if (window.location.hash && window.location.hash.indexOf('#access_token=') !== -1) {
        var accessToken = window.location.hash.replace('#access_token=', '');
        window.location = '/callback?access_token=' + accessToken;

After that, you just use the Instagram API to retrieve user by access token then perform log in. This is not a recommended flow by Instagram but is a flow that works for now if your customers are constantly hammering you with support tickets as they did with us.

Anyone have any experience getting this working with omniauth? It seems like one ought to just be able to change the config to:

    provider :instagram, ENV['INSTAGRAM_CLIENT_ID'], ENV['INSTAGRAM_CLIENT_SECRET'],  response_type: 'token'
But that doesn't seem to be working

Thanks for this temporary fix. Going to use it until Instagram fixes their issue with the authorization code.

This solution is insecure. Any person can intercept token and make harm to your application.

I completely agree. Hence I said it's temporary. When you have a huge influx of paying customers who cannot log in to do their work, you have to balance that a bit.

It doesn't seem too bad when enforcing https (using the return address whitelisting in the developer console). Am I missing something?

Customer will see token anyway

Ah yes, of course. I did miss that. The implicit (client-side) auth flow gets the access token directly and doesn't need another request to the API, that's the whole point.

This is indeed rather unwanted, even more so with the new more restrictive API usage policy and the sandbox.

Where would I change response_type=code to response_type=token?

When you generate the server side explicit flow, it looks something like this:


Depending on the library you use, it may be default to response_type=code. Just get the URL and do a search and replace if the library doesn't allow you to define the type.

See https://www.instagram.com/developer/authentication/

I use this library: https://github.com/jaredhanson/passport-oauth2

Something tells me however that just changing it to 'token' (file strategy.js, line 217) actually fixes it, now there are other issues with many redirects when just changing that line, Im not entirely sure how that library works to fix anything else at this point, do you know when this issue might be resolved as a whole?

Unfortunately, Instagram is terrible with responding to developer support tickets and there really isn't a much of a community aspect around it. This issue itself is not easily reproducible. The same account may work on one site and not a another site.

but this is better than nothing, thank you!

How did you go about this solution?

I've managed to work around this by changing the API host name from 'api.instagram.com' to 'www.instagram.com' for the Oauth authentication flow.

Here's my fork for the omniauth-instagram Ruby gem, which is now allowing me to consistently log in: https://github.com/stefl/omniauth-instagram/blob/master/lib/...

For me it doesn't works. I changed from 'api.instagram.com' to 'www.instagram.com' for the Oauth - have one "302 redirect" back to my site with "error 400". Strange...

Ditto here, it comes and it goes, but I can see this switch doesn't help our overall fail rate.

Okay, thought I'd mention it because it's had such a significant effect for me. So that possibly means that in my case the Auth0 <-> Instagram connection is something to investigate further.

Same here, made the change a couple of days ago and saw no change in failures.

'twas definitely worth a shot; no worries

We started having same issue since last Friday (Dec. 15, 2016) after working fine for months. Same user can login via oauth on one wifi, but not on the other, or even on mobile cellular network. And even when it worked on that wifi at one point, it does not work at other times. We have not found a workaround to fix this, reported to Instagram 24 hours ago, waiting...I tried to login to my account on instagram.com first, then go back to our site, browser would log in automatically. So far, we don't have a solution yet.

Update: as of now, All of our accounts are magically working. I did asked my facebook friends to pass the issue's urgency to Instagram team.

Just checked again, we're still seeing issues. I can reproduce, simply by using my personal account in a private window, it randomly fails in at least one of our environments (e.g. prod, staging, localhost).

It was working for us for the most of the day, but now acting up not working again...

I reported this to a contact at Instagram and they said they are aware of the issue. They don’t have an ETA for the fix yet, but they are looking into it. It's just odd that it seems so random with all of our customers.

Have you heard anything back from your contact at all?

thanks for the update, it started working yesterday for about 10 hours, then acting up randomly again.

I'm creator of https://picodash.com, I noticed the same issue about a week ago but did not get any complains from my customers, so debugged it for 8 hours until I found this (I know it will be hard to believe):

I kept getting "Matching code was not found or was already used." when using thru my oauth python code which btw has been working for 6 years now. But when I used curl to do POST, it worked, when I tried Curl again with same oauth code, it failed, So I think this is something that was recently changed by Instagram, the oauth code only works one time, I kind of remember this code could be used more than once before to make POST call, but there was time limit instead, after which using same code was failing.

So with me, this was always failing, but no complains from my customers, I could see logs that new people were signing up.

I started testing on localhost, I added debug logs, I did notice that there was 2 POST calls being made, so it was failing. I could see that 2 POST calls was made and first one did work and get access_token, but there was a second call made and this was error 400 and oauth flow was failing. Almost looked like a retry of POST call, cause my code should only make one.

I started trying different browsers, failed on all firefox,IE, safari, chrome. And then decided to try on my iphone, it worked 100%, so looked for difference, it was on LTE, so I guessed may be my wifi, switched to wifi on iphone and it started failing 100%. So now on my dev system, I connected modem directly to system without router and tried, it passed 100%, so it was my wireless router (I know weird), I tried another 3rd party instagram web app, had same issue but worked without the wireless router. So on Monday I got another wireless router and no issues, it started working. So this could be an isolated incident for me, I came to conclusion that I was using some old router that was dropping POST request and making second attempt and failing.

So I guess if this is affecting all your customer check you code by putting logs that you are making one POST request. Try making a CURL after you receive the code and make sure it is working on first attempt.

Today after reading this, I check my oauth login again, I did notice it fail few times, but when I try again, it is passing, so something changed again I think.

Sorry, but this is definitely not a hardware, connection or session issue. Just check the rest of the thread. We're seeing issues over various links (broadband, mobile, datacenter) on different server locations (AWS vs. on dev machine) with or without private mode / logging out and then in.

I honestly wish it was something like this, at least then we could fix it.

The double POST requests you see is most probably because api.instagram.com returns a 302 response ("Found", i.e. redirect). This is a relatively recent change, but still weeks before those issues started.

By the way, your server refuses connection when you go to https://picodash.com directly (without www.). You might want to fix this.

Some of our customers have complained how they were having issues with logging in with their account a few days ago. We've tested it on our end and it was working without any issue. However, we encountered the issue yesterday and still having it. However, a very few customers are not having any issue. Really weird and annoying. Reported to Instagram, still no feedback.

What we know at this moment:

1. It not depends on IP of API server behind instagram load balancer 2. It appears on ipv4 and ipv6 both 3. Problem not depends on delay between request code and exchanging this code for token 4. Logout and login helps sometimes

Has somebody any news regarding this issue ? I'm facing it too since some days... Quite randomly, seems to depend on device used and/or IP ... And maybe the alignment of stars.

Same problem on our end. Some environments work for some users and not for others. Have tried all the StackOverflow suggested answers with no luck.

Reported issues but haven't heard back

I've started having the same issue yesterday as well, noticed few times before but it was happening 'sometimes', now it happens all the time. Only workaround is to switch to implicit oauth as @xmrcivicboix suggested

Instagram has fixed the issue, at least it appears to be the case to us.

Are you sure about that? We're still getting this error.

at the time of my last writing, i was sure as all accounts are working fine. But today, it started acting up again. Now I had to change up to different wifi to login with Instagram.

I cannot get ahold of Instagram! This is impacting a lot of our users and there seems to be no channel of communication!

Still not working here (explicit auth). Every attempt is failing with the error 400: Matching code was not found or was already used.

May I ask if you guys have a link to where you reported this issue? I am having the same problem.

It happens for us as well, it started this week. Lots of users complaining.

In our case, it seems that most of our customer facing this issue is using business profile, any others checked this?

Not my case, I am having some problems with "normal" user accounts. Currently, it seems that logging out and login again fixes the issue.

I got reply from Instagram that they are aware of issue and working on it.

Nice. I find this issue is resolved. All of our accounts are magically working.

Having the same issue since a few days

Currently I'm seeing a lot of 400 errors: "Matching code was not found or was already used."

We at smartmetrics.co experience the same issue. We noticed that issue affected not everybody, many customers still can use oauth. We contacted Instagram and Facebook support but got no answer.

Pretty much our experience. We didn't figure out what caused it, the same Instagram account sometimes works and sometimes doesn't without a change in code on different instances.

Apparently it happens from time to time, there are some posts about this problem on StackOverflow. No answers though.

We tried many things, including resetting our secret. It's working now, but it's hard to tell whether our actions had any effect.

Looks like now it's working for all accounts. We haven't reset client secret. Hope Instagram fixed this.

Unfortunately we're seeing issues again. So it really didn't help or the effects have weared off by now.

It's a bit frustrating with no reaction from Instagram/Facebook and not even an entry on the status page.

The same for us

We are experience the same issue, I have been able to reproduce the issue with the same account by just trying it repeatedly. It will eventually fail, the only solution is to sign out of Instagram, which ends up clearing your session and trying it again.

Instagram had a long period of time it went down yesterday I'd be surprised if they aren't linked.

Private mode wasn't enough to fix the error for us.

At least not in all cases, i.e. we tried production, staging and an instance running on localhost. Private mode usually changed in which places the login worked, but it never helped for all three.

Yep, it works not for all accounts.

Same for us (VoxFeed)

Same here

Any response from Instagram?

Same problem

Same problem

Same problem here.

today all work nice!

Same problem

should be fixed, check now.

We are having the same issue. Really annoying that it works for some users and for some others doesn't. Even same user sometimes works sometimes doesn't.

I have just tried different environments we have with different users that were consistently failing last week (even this morning) and I have been able to get an access token using the server approach. Can anybody else test with their apps if the problem is fixed for you? Fingers crossed.

What exactly is the server approach?

We're experiencing the same issue here. Reports from multiple clients over the last few days. Surely enough checking the logs yields an invalid_credentials error.

Trouble is, we can't faithfully reproduce the issue from our network, but clients are reporting failures to authenticate every time they try!

Have contacted Instagram for an update. Anyone else still experiencing the issue?

Same here, we are still getting this error.

I think everyone posted, replied under this thread (and many other stackoverflow threads) experienced the same issue. The issue seemed resolved for us just yesterday for a day, but today, it started acting up again, had to switch up wifi to log into Instagram. We also added email login after this incident.

Anyone know if the problem has already been solved?

Thank you!

Not sure if the issue has already been solved but I have tried with different accounts in different environments we have for our app and it was working fine for all the accounts. Previously, it was very easy to reproduce the problem. Fingers crossed!

Same here, no problems anymore for more than two weeks now.

Thank you guys! ;) We will disable the client side authentication. If we encounter problems again I will comment.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact