React Native Instagram Explicit Authentication

Question

I'm creating a react native app and adding instagram authentication to it. I want users to be able to "add" their instagram accounts to their main user account, so I have a "connect your instagram" button.

I have this working on my web app fine.. The flow is as follows:

1. User clicks 'connect instagram' button and a new window opens and is directed to https://instagram.com/oauth/authorize/?client_id=xxxx blah blah
2. User authenticates and instagram redirects to my REDIRECT_URI with a CODE parameter
3. My API server takes the CODE parameter and sends a post request to instagram with all the credentials.
4. Instagram verifies this information and gives me the users ACCESS_TOKEN

Can someone tell me how this is supposed to work in an app?

What's my REDIRECT_URI supposed to be? The server api?

Is it the same flow as my web app? If so, how do I get the users back to my app after the window is closed. How does my app know that the user now has an access token?

Answer 1

With a native application the flow is similar to what you described for the web application.

The Auth0 Mobile + API architecture scenario describes what should happen when you need to authenticate a user for a mobile application and then later access an API on behalf of that user.

Summary

• you will continue to use the authorization code grant;
• if the authorization server in question supports it you should use the PKCE (Proof Key for Code Exchange by OAuth Public Clients) for added security;
• you will need to select how you will receive the code in the native application; you can use a custom scheme com.myinstaapp:, a local web server with the http: scheme or a few other options; _{(see this answer on OAuth redirect URI for native application for other alternatives)}
• you exchange the code obtained by the native application with an access token in a similar way to what you would do for a web application; _{(except for the use of client secrets which are in general not useful for native applications as they would be easily leaked)}

Additional Information

The flow described in the Auth0 scenario assumes that authentication will happen through an OpenID Connect compliant flow and in addition you'll get the access token as specified by OAuth2. I'm not overly familiar with Instagram so if they only support OAuth2 that part is of course not applicable.