LinkedIn OAuth2.0 Invalidate Session / Force re-authorization
Asked Answered
C

1

6

I've just migrated from LinkedIn's JavaScript SDK to their OAuth2.0 authorization flow in my application due to their announcement of deprecating their SDKs in March.

The auth flow is working as expected. The issue is that I can't find any documentation on how to force re-authentication or invalidate the current user's access token. The previous JavaScript SDK had an IN.User.logout() method that I used to allow for re-authentication which is not available using the OAuth2.0 flow. This will cause problems for users who are logging in on a shared computer/browser.

Below are some ways I've figured out where re-authentication is initiated, but none my application can do itself:

  • Clear out web browser / LinkedIn cookies
  • Logout of LinkedIn site directly
  • Update/change requested permissions (not ideal)

Does anyone have a recommendation on how I can force re-authentication within the application? Or is this impossible unless LinkedIn implements an endpoint to invalidate the token?

Hoping someone from LinkedIn may be able to chime in on this and how they expect developers to handle this scenario as they point to Stack Overflow for support.

References

Update [2/12/19]: I've contacted LinkedIn directly regarding this issue and they continued to direct me here and insist that I repost the question. Hoping someone from LinkedIn will see this still but assuming it won't get answered anytime soon. Will have to assume invalidation does not exist in v2 APIs.

Coincide answered 22/1, 2019 at 20:4 Comment(3)
Aside from the methods you've listed, there is no method available from the LinkedIn API to invalidate access tokens.Burrell
Any update regarding thisSubmersed
@Submersed No updates for this as of now. Currently there is no way to invalidate access tokens for LinkedIn v2 apisCoincide
H
2

I had same suffering as you, so I started with all possible combinations of requests until I managed to revoke token, this is the request:

curl --request POST \
  --url https://www.linkedin.com/oauth/v2/revoke \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data client_id=CLIENT_ID_HERE \
  --data client_secret=CLIENT_SECRET_HERE \
  --data token=YOUR_TOKEN_HERE
Haversine answered 20/11, 2020 at 18:50 Comment(2)
I'm hoping this helps someone - but this command does work but it actually deleted the app from my developers console! So it appears if you run this command as the app's owner/developer against your own account, you're effectively revoking access to your app and removing it from your profile. I first thought LinkedIn admins removed my app for some reason only to remember later I made this API call. If anyone else can confirm these, please advise in your reply. Thanks.Neisse
As a matter of fact you are right! :) I had several apps in mine console and yes, the one I have revoked token for is gone. I thought Linkedin deleted it for some reason, and since I had backup one didn't bother me so much. Now I have explanation. Thank you. Hunt for Linkedin token revocation still continues ... :DAccretion

© 2022 - 2024 — McMap. All rights reserved.