oAuth is built as an authentication tool whereby a user doesn't have to give a site their password. It requires the transfer of various tokens between a site & the oAuth based site, which gives the user a specific access token. This token can be revoked at any time by the user if they so wish, meaning if an application is acting maliciously you can deactivate its access.
Many big sites use oAuth such as Twitter, Facebook and Instagram - we'll be using the Instagram API as a demonstration for how to deal with oAuth - you might benefit from keeping an eye on the Instagram Developer Docs.
Register your application
The first thing to do is register your application on Instagram, when you've done that you'll be given a
Client ID and a
Client Secret, you should keep a note of these as you'll need them later in the authentication process.
The oAuth Process
There are a few steps involved in the authentication process:
- You direct the user to the Instagram website to allow access to your application
- You get given a code back from Instagram
- Use this code to send a cURL request to Instagram to get an access_token
As you can see there are a few steps of back & forth, but it makes sense once you understand the full flow.
Send the user to Instagram
This is straight forward, you generate a URL for the user to go to using the aforementioned
Client ID that you got after registering, and the
Redirect URI that you provided during registration. For a Client ID of 12345 and a Redirect URI of http://codular.com I would generate a URL as such:
Receive the code
When the user has provided access to your application, they will get sent back to your
redirect_uri that you put above with a query string attached called
code - you will then be able to access this through using
If there are any errors returned, there will be the following query string items returned:
Here is where the fun starts, and the serious authentication works out, we now need to do a cURL request to Instagram to get the user and their access_token to store in the database for later use.
You will want to send a
POST request to the endpoint
https://api.instagram.com/oauth/access_token with the following parameters:
- Client ID - Your client id from after you registered your application
- Client Secret - What you received after registering your application
- grant_type - Currently only
- code - The code that you received in the previous step -
If your cURL request goes through correctly and without issue, you will get a response which lists
You should store these 5 items, and then you can use them later to make any requests to the API that require authentication.
Never assume that the access_token you have will always work - you should cater for the possibility of a request failing in all of your requests at all stages of the process.
You are able to request an extra level of access when you send the user off to Instagram in the first instance by appending an additional query string called
scope with one or many (+ separated) of the following parameters:
- basic defualt
While this example is based around Instagram, I hope it highlights the requisites of the oAuth methodology - the fact that there are 3 steps to the process. If you're working with Twitter and want to authenticate yourself for your own application, the developer control panel is able to give you your user access tokens for that application without having to code your own authentication procedure.