Oauth2

Creating my own Instagram WordPress plugin

sunny Leave a comment

I just wrote a simple plugin to load the recent feed from Instagram API. I will add a shortcode “my_instagram” on next post for example.

This plugin is simple, but first thing is you need to register a new app from Instagram, then set it up with your own client ID and Client Secret. Then my plugin will use an authentication method OAuth2 to retrieve an access token, so that can work with Instagram API.

Although the procedure is not very difficult, the plugin probably not that useful in real world situation. First, I think most users just use wordpress for updating news, blogging.. etc may not know what to do with the plugin like setting up an app on Instagram. So, I checked how people doing it with their plugin.

I am not sure I am right, but seem like other plugin’s authentication flow works like this picture.
oauth

The Procedure is like this:
1. WP Sites(any site using WordPress) that send a request with App’s Client ID (this ID is somewhere in the plugin) and Redirect URI to Instagram Site for authorising procedure.

2. After authorised by user, Instagram will redirect back to the plugin site with “CODE” parameter. (most likely Plugin Author’s site because only Authors know the Client secret which assigned to their app)

3. Plugin Author’s site will request to Instagram with their own client id, client secret, and “CODE” parameter that received from step 2.

4. If everything is ok, Instagram then will respond back with access_token and other information

5. Plugin Author’s site then will redirect access_token back to the WP Sites.

Every step is not that difficult to implement, I have used WP’s module to mock up a very simple redirect process for another plugin I am writing now. However, seem to me that on step 4, my redirect process can store any access token information that I receive from Instagram(let’s say if you are using my plugin, and go through my redirect process, then I will be able to store your access token). I am not that familier with OAuth2, but I think access token is same as username/password that should keep them safe.. but isn’t it then exposed to the third party??? I know you can revoke your token anytime, but not sure everyone will know how to revoke it except changing the password (changing password will revoke the token)

If I have your access token, does it mean that I am able to act like you on Instagram?

Actually at first I thought step 4 can just redirect the access token back to the WP Sites instead go through the third party, but seem that the redirect URI that setting up with the app is strict, and must match the the request from step 1.

If anyone reading this and know this, please explain to me… Thank you 🙂

Post to Twitter Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Read More

My note about how I test with Zend + Facebook Oauth

sunny Leave a comment

This is just a note for me how I test my code to retrieve Facebook Access Token though my Zend Application since Zend_OAuth is not really useful here:

class IndexController extends Zend_Controller_Action
{

     const APP_ID = YOUR_APP_ID;
     const APP_SECRET = YOUR APP SECRET;
     
    public function init()
    {
        /* Initialize action controller here */
    }

      public function indexAction()
    {
       // redirect user to authorized url.  Usually you may want to make a pop up link to open this...
         $this->_helper->redirector->gotoUrl(
               'https://graph.facebook.com/oauth/authorize?client_id='.
               self::APP_ID.
               '&redirect_uri=YOUR_CALLBACK_URL');

    }

    public function oauthAction() {
        // if succuess will get 'code' parameters
        $code = $this->getRequest()->getParam('code');

        if (null !== $code)
        {
           //  This will return an access_token and expiry if success 
          // $content will be 'access_token=.....&expiry=.....'
            $content = file_get_contents(
            'https://graph.facebook.com/oauth/access_token?client_id='.
            self::APP_ID.
            '&redirect_uri=YOUR_CALLBACK_URL'.
            '&client_secret='.self::APP_SECRET.
            '&code='.$code);
       
          //you may want to parse $content so you can retrieve access_token alone
          // Simple Test to retrieve user information
           $this->view->user = json_decode(
                                file_get_contents(
                                    'https://graph.facebook.com/me?'.
                                    $content));
           
        }
        else {
            // Error Code to handle.. probably user not authorize
        }

        
    }
}

My view script file:

User Name:  <?= $this->user->name; ?>

Just an idea. maybe should write a service to do all the procedures like Zend_Service_Twitter.

Post to Twitter Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Read More