Access LinkedIn REST API without front-end (e.g. OAuth2 redirect)

Asked 22/1, 2015 at 12:30 Answered 22/1, 2015 at 12:44

Goal

Fetch a company's updates save them locally in a background task

Problem

This should be done as a backend service without any real user interaction. We could provide a user account to use, but the authentication is a problem: There is literally no one to answer the OAuth redirect and there is no public redirect URL to configure, since it's a background service.

Is there any way to access the API without having a redirect URL or a real user?

Harrell answered 22/1, 2015 at 12:30 Comment(0)

You can get an initial access token in a regular front end flow, for you as the app developer i.e yourself as the LinkedIn user. Once you've got that, you can store it in the backend and use it for 60 days to get access to the LinkedIn APIs.

After 60 days you need to refresh the token as documented in: https://developer.linkedin.com/documents/handling-errors-invalid-tokens

Unfortunately LinkedIn does not (yet) support an autonomous refresh flow where your app can get a new access token by presenting a refresh token on a backchannel. So the developer will have to refresh the access token by a manual login every 2 months.

Synaesthesia answered 22/1, 2015 at 12:39 Comment(3)

Oh great, that's probably why I got both API key and secret AND OAuth user token and secret after registering my application? – Harrell 22/1, 2015 at 12:55

After the first authentication step you are ready to go underground. At least until you need to re-authenticate (I don't know if LinkedIn needs that, some other provider I use forces you to re-authenticate after a year, tokens can be refreshed until then). – Rockwood 22/1, 2015 at 12:57

Thank you, I will try this out and accept your answer then! – Harrell 22/1, 2015 at 13:8

Well, it is still all HTTP and HTML, so in fact there is no real reason to show the OAuth dialog to a user, as long you can strip out the necessary parts in the HTML authentication dialog and send a valid response back to the server, using the username and password from the user (which you can obtain from him, or save it yourself in a config file if it is you).

Note that there might be a legal issue if LinkedIn demands you to actually show the dialog, beside that, there is no technical need.

Rockwood answered 22/1, 2015 at 12:44 Comment(7)

Why the downvote? Although this doesn't seem 'the right thing to do', it is valid from a in house concept where you automatize your marketing for example though your LinkedIn page. – Rockwood 22/1, 2015 at 13:19

1. it defeats the purpose of OAuth where user credentials should not be exposed to the client/app 2. if LinkedIn wanted you to do this they would have offered the Resource Owner Password Credentials flow; 3. it makes it impossible to upgrade to other & multi-factor authentication 4. it is brittle since it depends on Linkedin not changing their login flow 5. etc. – Synaesthesia 22/1, 2015 at 13:23

@HansZ.: What is there is no app, nor a client? OP states clearly it runs in a background task, maybe there isn't an UI at all! Maybe there is just a database or another source to write to... – Rockwood 22/1, 2015 at 13:46

its OAuth terminology: the client is the background task; the point is that you'd need an OOB UI to get the initial access token – Synaesthesia 22/1, 2015 at 13:47

@HansZ.: But why do you need an UI? Who says so? – Rockwood 22/1, 2015 at 13:51

for the "code" flow that LinkedIn uses you need a UI of using the "code" flow, because it makes the client independent of authentication methods and allows for asking the user consent; otherwise LinkedIn would have offered another flow – Synaesthesia 22/1, 2015 at 13:56

@HansZ.: So we should wait until LinkedIn ever makes this. Good luck waiting... In the meantime, I will just make it work. – Rockwood 22/1, 2015 at 13:58

Recommended topics

Hot tags