We are using Instagram as a social login for our application. I now want to use Auth0 as an user management layer. When logging in with Instagram, they create a token that can be used for API requests. They add the token to the callback URL (in this case auth0.com/login/callback). My question is if we can persist this token back to the application. Let me illustrate the flow:
We redirect to auth0.com/authorize,
The user clicks login which opens api.instagram.com/oauth/authorize/?response_type=code ...
After successful login Instagram redirects back to auth0.com/login/callback?code=... - Instagram include the access token to the callback URL. There are 2 URL parameters: code and state.
Auth0 then redirects to the app’s callback URL with access_token, token_type, etc. in the URL. However, the codeand state parameters from Instagram are lost.
Is there anyway to persist the Instagram tokens back to the application’s callback URL? We need these tokens to hit Instagram’s API. If we can’t persist them, we would need to make the user login to Instagram again so we can get the token.
When you enable the Instagram connection in Auth0 you’re stating that you want to also allow Instagram as another source of user identities. The way that Auth0 validates those identities with Instagram is indeed through an OAuth2 exchange where Instagram issued access tokens allow Auth0 to obtain information about the user that can then be packaged and relayed to the client application now in an Auth0 issued token/assertion. The benefit of this indirection layer is that if you brought another social provider to the mix the client application could still only have to worry about validating tokens/assertions issued by Auth0 and in such way be more independent.
The above has the (important part for you scenario) side-effect that the Instagram access token that was obtained during authentication is not made available by default to the client application. However, there’s still a process available that would allow a confidential client application to request this access token through the Management API and in such way provide a more tight integration based on the social provider the end-user used for authentication.
The process to obtain access tokens obtained during social provider authentication is described at:
I am trying the Sample auth0 for react native.
The app receive ‘access token’, ‘idToken’, ‘expiration’ and ‘tokentype’
From https://auth0.com/docs/tokens/idp it’s mentionned to use the endpoint:
HTTP GET call to the /api/v2/user/{user-id}
I dont understand how can the app reach that endpoint with ‘user-id’ if the app haven’t receive it ?
Is there any way to get the ‘user-id’ during the authentication ?
I am trying the Sample auth0 for react native.
The app receive ‘access token’, ‘idToken’, ‘expiration’ and ‘tokentype’
From https://auth0.com/docs/tokens/idp it’s mentionned to use the endpoint:
HTTP GET call to the /api/v2/user/{user-id}
I dont understand how can the app reach that endpoint with ‘user-id’ if the app haven’t receive it ?
Is there any way to get the ‘user-id’ during the authentication ?
The ID token is guaranteed to be a JWT token that contains the user identifier as part of the sub claim. Given you can validate the ID token to ensure it comes from a trusted party you can then use the information contained within it to know for which user to perform the call.
Thank for your reply.
I’ve managed to get the sub from the idToken.
I’m now stuck with the call to /api/v2/user/{user-id}.
I have the error {statusCode: 403, error: “Forbidden”, message: “User to be acted on does not match subject in bearer token.”, errorCode: “unowned_resource”}.
I’m trying to solve it for 5h
Ok, I found my error, I needed to create a token in API Explorer.
I’m still very confused with the Auth0 Management API.
I’ve managed to get the Instagram access_token.