1

I used this guide to built a showcase - sign in with LinkedIn into a specific site. Everything worked perfectly until I demonstarted it in front of a wide audience and it broke down :-( It was a great FAIL and I want to know why. Here is what I do:

1.On the sign in page the user may click a Sign in with LinkedIn button and is redirected to similar link:

https://www.linkedin.com/oauth/v2/authorization?redirect_uri=[my_callback]&client_id=[my_client_id]&response_type=code&state=[securely_random]&scope=r_basicprofile%20r_emailaddress

2.The user allows the application and is sent back to my_callback

3.In my_callback I make a POST to https://www.linkedin.com/oauth/v2/accessToken in order to obtain an access token. I use the code sent by LinkedIn, correct client ID and secret. Everything is OK, e.g the response might be:

{
    "access_token": [access_token],
    "expires_in": 5184000
}

4.I make authenticated requests to fetch the profile data from endpoint https://www.linkedin.com/v1/people/~:(firstName,lastName,email_address)

Headers: 

x-li-format: json       
Authorization: Bearer [access_token]

I started to get an error 401 occasionally, e.g.:

{
  "errorCode": 0,
  "message": "Unable to verify access token",
  "requestId": "YX21AN6NZG",
  "status": 401,
  "timestamp": 1483732371224
}

It seems that some of the requests randomly passed nevertheless...

Additional details:

  • The user is logged in LinkedIn
  • The user is administrator for the LinkedIn application
  • I have checked the limitations (throttle limits) at in the application. Available at https://www.linkedin.com/developer/apps. Everything which can be seen is green.
  • I have tried all advices and hacks from this question
  • My app is not live

I'm puzzled!

Question: Any obvious mistake?

Question: Is there any hidden throttle limits (or security instruments) for the limitation of the number of access tokens for specific user/app combination? (I'm always using the same user and I tested pretty aggressively before the big FAIL)

UPDATE: In the next two days the Sign in started working smoothly again as described above. No 401-s anymore... :-X I've made no changes to the code base. So is this some kind of throttle limit or just LI was in a bad mood on Friday?

Community
  • 1
  • 1
Lachezar Balev
  • 10,090
  • 7
  • 44
  • 66

2 Answers2

1

In case someone is curious I got an answer to my problem from LI support:

Unfortunately, we really can't assist with API issues and 3rd party apps. My guess is that there was a hiccup on Friday and you were the victim of bad timing.

I accept the explanation that I was a victim so this answers my question...

Lachezar Balev
  • 10,090
  • 7
  • 44
  • 66
0

I have an access-token that worked to get data through the API, however now it has stopped working. I've carefully read LinkedIn's documentation: https://developer.linkedin.com/docs/oauth2 and have come up with why this can happen.

The docs state, that the user's session is linked with the access-token. Therefore, logging out of the session means the access-token is invalidated. This makes sense because it's exactly what I see happening.

The oauth2 expired-at is just a timestamp of the ultimate time this access-token will be valid. But it can be invalidated at any moment apparently.

Other oauth2 implementations show features for refreshing the access-token, Linkedin does not provide such feature. Therefore a user has to refresh it manually every time. Not sure if this is by design or they haven't got around to it yet. Overall their API feels pretty out-dated.

Dennis
  • 745
  • 5
  • 16