Update to Instagram Basic Display API

Update the Instagram provider to use the Basic Display API.
See #441.

Author: martincostello

docs/instagram.md

@@ -14,9 +14,17 @@ A Facebook authentication provider is [available from Microsoft](https://docs.mi
 services.AddAuthentication(options => /* Auth configuration */)
         .AddInstagram(options =>
         {
-            options.ClientId = "my-client-id";
-            options.ClientSecret = "my-client-secret";
-        });
+            options.ClientId = Configuration["Instagram:ClientId"];
+            options.ClientSecret = Configuration["Instagram:ClientSecret"];
+
+            // Optionally return the account type
+            options.Fields.Add("account_type");
+
+            // Optionally return the user's media
+            options.Fields.Add("media_count");
+            options.Fields.Add("media");
+            options.Scope.Add("user_media");
+        })
 ```
 
 ## Required Additional Settings
@@ -27,4 +35,4 @@ _None._
 
 | Property Name | Property Type | Description | Default Value |
 |:--|:--|:--|:--|
-| `UseSignedRequests` | `bool` | Indicates whether requests to the Instagram API's user information endpoint should be signed. | `false` |
+| `Fields` | `ISet<string>` | The list of list of fields and edges to retrieve from the user information endpoint. | `[ "id", "username" ]` |

src/AspNet.Security.OAuth.Instagram/InstagramAuthenticationConstants.cs

@@ -0,0 +1,30 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
+ * for more information concerning the license and the contributors participating to this project.
+ */
+
+namespace AspNet.Security.OAuth.Instagram
+{
+    /// <summary>
+    /// Contains constants specific to the <see cref="InstagramAuthenticationHandler"/>.
+    /// </summary>
+    public static class InstagramAuthenticationConstants
+    {
+        /// <summary>
+        /// Contains constants for claims.
+        /// </summary>
+        public static class Claims
+        {
+            /// <summary>
+            /// The claim for the user's account type.
+            /// </summary>
+            public const string AccountType = "urn:instagram:accounttype";
+
+            /// <summary>
+            /// The claim for the user's media count.
+            /// </summary>
+            public const string MediaCount = "urn:instagram:mediacount";
+        }
+    }
+}

src/AspNet.Security.OAuth.Instagram/InstagramAuthenticationDefaults.cs

@@ -47,6 +47,6 @@ public static class InstagramAuthenticationDefaults
         /// <summary>
         /// Default value for <see cref="OAuthOptions.UserInformationEndpoint"/>.
         /// </summary>
-        public const string UserInformationEndpoint = "https://api.instagram.com/v1/users/self";
+        public const string UserInformationEndpoint = "https://graph.instagram.com/me";
     }
 }

src/AspNet.Security.OAuth.Instagram/InstagramAuthenticationHandler.cs

@@ -5,13 +5,9 @@
  */
 
 using System;
-using System.Diagnostics;
-using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security.Claims;
-using System.Security.Cryptography;
-using System.Text;
 using System.Text.Encodings.Web;
 using System.Text.Json;
 using System.Threading.Tasks;
@@ -42,13 +38,9 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(
         {
             string address = QueryHelpers.AddQueryString(Options.UserInformationEndpoint, "access_token", tokens.AccessToken);
 
-            if (Options.UseSignedRequests)
+            if (Options.Fields.Count > 0)
             {
-                // Compute the HMAC256 signature.
-                string signature = ComputeSignature(address);
-
-                // Add the signature to the query string.
-                address = QueryHelpers.AddQueryString(address, "sig", signature);
+                address = QueryHelpers.AddQueryString(address, "fields", string.Join(",", Options.Fields));
             }
 
             using var request = new HttpRequestMessage(HttpMethod.Get, address);
@@ -70,37 +62,16 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(
 
             var principal = new ClaimsPrincipal(identity);
             var context = new OAuthCreatingTicketContext(principal, properties, Context, Scheme, Options, Backchannel, tokens, payload.RootElement);
-            context.RunClaimActions(payload.RootElement.GetProperty("data"));
+            context.RunClaimActions();
 
             await Options.Events.CreatingTicket(context);
             return new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
         }
 
+        [Obsolete("This method is no longer called and will be removed in a future version.")]
         protected virtual string ComputeSignature([NotNull] string address)
         {
-            string query = new UriBuilder(address).Query;
-
-            // Extract the parameters from the query string.
-            string[] parameters =
-                (from parameter in QueryHelpers.ParseQuery(query)
-                 orderby parameter.Key
-                 select $"{parameter.Key}={parameter.Value}").ToArray();
-
-            Debug.Assert(parameters.Length < 1, "No parameters found in query string.");
-
-            // See https://www.instagram.com/developer/secure-api-requests/
-            // for more information about the signature format.
-            byte[] bytes = Encoding.UTF8.GetBytes($"/users/self|{string.Join("|", parameters)}");
-
-            // Compute the HMAC256 signature.
-            byte[] key = Encoding.UTF8.GetBytes(Options.ClientSecret);
-
-            using var algorithm = new HMACSHA256(key);
-
-            byte[] hash = algorithm.ComputeHash(bytes);
-
-            // Convert the hash to its lowercased hexadecimal representation.
-            return BitConverter.ToString(hash).Replace("-", string.Empty, StringComparison.Ordinal).ToLowerInvariant();
+            return string.Empty;
         }
     }
 }

src/AspNet.Security.OAuth.Instagram/InstagramAuthenticationOptions.cs

@@ -4,9 +4,12 @@
  * for more information concerning the license and the contributors participating to this project.
  */
 
+using System;
+using System.Collections.Generic;
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.OAuth;
+using static AspNet.Security.OAuth.Instagram.InstagramAuthenticationConstants;
 
 namespace AspNet.Security.OAuth.Instagram
 {
@@ -18,17 +21,18 @@ public class InstagramAuthenticationOptions : OAuthOptions
         public InstagramAuthenticationOptions()
         {
             ClaimsIssuer = InstagramAuthenticationDefaults.Issuer;
-
             CallbackPath = InstagramAuthenticationDefaults.CallbackPath;
 
             AuthorizationEndpoint = InstagramAuthenticationDefaults.AuthorizationEndpoint;
             TokenEndpoint = InstagramAuthenticationDefaults.TokenEndpoint;
             UserInformationEndpoint = InstagramAuthenticationDefaults.UserInformationEndpoint;
 
-            Scope.Add("basic");
+            Scope.Add("user_profile");
 
             ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
-            ClaimActions.MapJsonKey(ClaimTypes.Name, "full_name");
+            ClaimActions.MapJsonKey(ClaimTypes.Name, "username");
+            ClaimActions.MapJsonKey(Claims.AccountType, "account_type");
+            ClaimActions.MapJsonKey(Claims.MediaCount, "media_count");
         }
 
         /// <summary>
@@ -38,6 +42,16 @@ public InstagramAuthenticationOptions()
         /// Enabling this option is recommended when the client application
         /// has been configured to enforce signed requests.
         /// </summary>
+        [Obsolete("This property no longer has any effect and will be removed in a future version.")]
         public bool UseSignedRequests { get; set; }
+
+        /// <summary>
+        /// Gets the list of list of fields and edges to retrieve from the user information endpoint.
+        /// </summary>
+        public ISet<string> Fields { get; } = new HashSet<string>()
+        {
+            "id",
+            "username",
+        };
     }
 }

test/AspNet.Security.OAuth.Providers.Tests/Instagram/InstagramTests.cs

@@ -10,6 +10,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Xunit;
 using Xunit.Abstractions;
+using static AspNet.Security.OAuth.Instagram.InstagramAuthenticationConstants;
 
 namespace AspNet.Security.OAuth.Instagram
 {
@@ -28,8 +29,8 @@ protected internal override void RegisterAuthentication(AuthenticationBuilder bu
         }
 
         [Theory]
-        [InlineData(ClaimTypes.NameIdentifier, "my-id")]
-        [InlineData(ClaimTypes.Name, "John Smith")]
+        [InlineData(ClaimTypes.Name, "jayposiris")]
+        [InlineData(ClaimTypes.NameIdentifier, "17841405793187218")]
         public async Task Can_Sign_In_Using_Instagram(string claimType, string claimValue)
         {
             // Arrange
@@ -41,5 +42,32 @@ public async Task Can_Sign_In_Using_Instagram(string claimType, string claimValu
             // Assert
             AssertClaim(claims, claimType, claimValue);
         }
+
+        [Theory]
+        [InlineData(ClaimTypes.Name, "jayposiris")]
+        [InlineData(ClaimTypes.NameIdentifier, "17841405793187218")]
+        [InlineData(Claims.AccountType, "PERSONAL")]
+        [InlineData(Claims.MediaCount, "42")]
+        public async Task Can_Sign_In_Using_Instagram_With_Additional_Fields(string claimType, string claimValue)
+        {
+            // Arrange
+            static void ConfigureServices(IServiceCollection services)
+            {
+                services.PostConfigureAll<InstagramAuthenticationOptions>((options) =>
+                {
+                    options.Fields.Add("account_type");
+                    options.Fields.Add("media_count");
+                    options.Scope.Add("user_media");
+                });
+            }
+
+            using var server = CreateTestServer(ConfigureServices);
+
+            // Act
+            var claims = await AuthenticateUserAsync(server);
+
+            // Assert
+            AssertClaim(claims, claimType, claimValue);
+        }
     }
 }

test/AspNet.Security.OAuth.Providers.Tests/Instagram/bundle.json

@@ -2,6 +2,7 @@
   "$schema": "https://raw.githubusercontent.com/justeat/httpclient-interception/master/src/HttpClientInterception/Bundles/http-request-bundle-schema.json",
   "items": [
     {
+      "comment": "See https://developers.facebook.com/docs/instagram-basic-display-api/getting-started#step-5--exchange-the-code-for-a-token",
       "uri": "https://api.instagram.com/oauth/access_token",
       "method": "POST",
       "contentFormat": "json",
@@ -13,13 +14,23 @@
       }
     },
     {
-      "uri": "https://api.instagram.com/v1/users/self?access_token=secret-access-token",
+      "comment": "See https://developers.facebook.com/docs/instagram-basic-display-api/reference/user#user",
+      "uri": "https://graph.instagram.com/me?access_token=secret-access-token&fields=id,username",
       "contentFormat": "json",
       "contentJson": {
-        "data": {
-          "id": "my-id",
-          "full_name": "John Smith"
-        }
+        "id": "17841405793187218",
+        "username": "jayposiris"
+      }
+    },
+    {
+      "comment": "See https://developers.facebook.com/docs/instagram-basic-display-api/reference/user#user",
+      "uri": "https://graph.instagram.com/me?access_token=secret-access-token&fields=id,username,account_type,media_count",
+      "contentFormat": "json",
+      "contentJson": {
+        "id": "17841405793187218",
+        "username": "jayposiris",
+        "account_type": "PERSONAL",
+        "media_count": 42
       }
     }
   ]