LinkedIn Platform: now with more ways to authenticate
April 29, 2010
Code Alert! This is a part of our continuing series on Developers at LinkedIn, syndicated from our Developer blog. If this isn’t your cup of code, check back tomorrow for regular LinkedIn programming. In the meanwhile, check out some of our recent feature announcements, tips and tricks, or success stories.
Would you like your site to "Login with LinkedIn" on your site? It's now possible!
Last week we deployed an important upgrade to our OAuth infrastructure at LinkedIn that makes life easier for our LinkedIn Developers and Members. The authorization and login process has been streamlined especially for developers that want to use LinkedIn as a sign-in service. LinkedIn members will find a easier, simpler way to quickly authorize LinkedIn applications.
Read on for all the technical details.
Authentication: Login with LinkedIn
For sites that primarily use LinkedIn for authentication (e.g. by showing users a "Login with LinkedIn" button), we now offer an alternative to the normal OAuth authorization flow:
This authenticate endpoint functions identically to the authorization endpoint except for one scenario. When the following conditions are all true we will automatically (and immediately) redirect to your Application.
- The current user is logged into LinkedIn.
- The current user has previously granted access to the requesting application.
- The access token has not expired.
This provides a great user experience - just a one click login! If any of the above conditions are not true, the member will see the normal authorization flow.
User Interface Changes
If you already have your own account infrastructure, we're still looking out for you. We often see sites send already-authorized users through our OAuth authorize flow. Perhaps the remote site lost the token or never persisted it. This situation results in users being asked for username/passwords again and again, with a new token created every time (a frustrating process, to be sure).
So, we've made some improvements here. Instead of requiring the user to login every time and create a new access token, we now allow the user to reuse an existing access token and quickly return to the site. In most cases the user simply needs to click 'Continue' and they are back at your site immediately.
As part of this streamlining process (and to leverage cookie persistence), we changed the OAuth authorization url to live on the www subdomain of linkedin.com:
We recommend that all developers switch to this as soon as possible. To help you autoconfigure your application we also return the current authorization URL as part of the requestToken response as the xoauth_request_auth_url parameter.
Clicking on Cancel
We also changed the behavior when the user presses the Cancel button in the authorization flow. In prior releases we always sent the user to a single "Integration URL" defined for each application. We now offer the option to redirect to the OAuth callback URL, just leave your Integration URL blank. Your callback will not be called with a token or secret. Instead your callback will include the url parameter oauth_problem with the value user_refused.
Token Expiration Times
Want to know how long a token is valid for? Until now your application had no hints about the validity length. Some of our endpoints now return the expiration time of the token. The requestToken response now includes the oauth_expires_in parameter. The value of this is the number of seconds remaining for the token. We'll be adding this to the accessToken response in a future release.
Now you can invalidate an OAuth token for your application. Just send an OAuth signed GET request to:
A 200 response indicates that the token was successfully invalidated.
Visit the LinkedIn Developer Network to find out more about OAuth, Authentication and all the ways you can integrate LinkedIn functionality with your application or site.