bannerColor WARNING_YELLOW templateName poodleSSLVulnerability

How to get access token that does not expire

46 posts / 0 new
Last post
Ben Nimmo's picture
Joined: 2012-08-22
Aug 23, 2012
How to get access token that does not expire

Is there method within LinkedIn that allows you to get a access token that does not expire. My current flow of authentication comes with a response saying that the oauth_authorization_expires_in = 5183999 (approx 60 days). I need to be able to obtain one that does not expire at all. Is this possible?

Adam Trachtenberg's picture
LinkedIn Employee
Joined: 2011-06-30
Aug 23, 2012

It expires in 60 days. However, you can extend it for another 60 days using the same authorization flow. If the member is signed into LinkedIn, you will seamless redirect back to your application. This can happen repeatedly, as long as the member keeps using your application over the 60 day period.

Ben Nimmo's picture
Joined: 2012-08-22
Aug 24, 2012

Thanks for the quick response.

My application can't not have this happen. I have applied to become a a member of your partner program but have not heard anything back yet and i'm not sure if by doing this it will help the situation.

My application is geared up to be a complete CRM management for enterprise level companies with analytics and statistics from information from twitter, facebook, google+, youtube and hopefully LinkedIn but it's going to prove impossible if the user has to keep logging in to the system to refresh there credentials as things like nightly CRON jobs would fail.

What can I do? I really want to integrate your network in to our solution?

Joined: 2012-09-23
Sep 25, 2012

Is it possible to get a new access token that does not expire,if the member is not signed into LinkedIn.

Ben Nimmo's picture
Joined: 2012-08-22
Sep 26, 2012

Apparently you can, this has not been proven yet? But i will be working on it in the coming days so will try to remember to update this thread when possible.

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Sep 26, 2012

As Adam mentioned previously, as long as the user is still signed into LinkedIn, you can refresh their access token within the 60 day window for an access token with a new 60 day life. You can choose to do this every 58th day, for example, to get a token that will live for 60 more days and continue to do this. As long as it's within the 60 day life of the token, you can do this refresh and your user will not be aware (as long as they're logged into LinkedIn and they have a cookie).

To accomplish this refresh, you simply need to go through the Authentication flow again. In other words, have your app fetch a request token then use that to upgrade for an access token. Be sure to hit the/Authenticate endpoint and not the /Authorize endpoint (as detailed in the Authentication document). As long as the user is logged into LinkedIn and their current access token isn't expired, LinkedIn will return an access token that will have a 60 day life span. The user will not be required to login via the login dialog. In other words, it will be a seamless and background process unbeknownst to the user.

Hope that helps,
Kamyar

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Oct 4, 2012

FYI, we've updated our Authentication document to be more clear on when and how to refresh the access tokens.

Thanks!
Kamyar

Joined: 2012-10-11
Oct 12, 2012

So, lets say I have a Login button. When i press it for the first time (assume that my app does not have permission to access my LinkedIn account), I should be asked if i am willing to grant access, right? (I hit authenicate end point every time i press Login button). So when i grant access i should be given access token with 60 days expiration time. So, when I close my app and open it lets say after two days and I press the Login button again, I should be given new access token without asking me for permission, am I correct? If so, unfortunatly I dont get new access token, but the same token I acquired afert first login, but with expiration time 5183999. Is it possible, that my access token expiration time just getting reset? Or I am doing something wrong?

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Oct 12, 2012

You're doing the refresh the right way. We may return you the same access token as before or we may return you a new access token. Either way, the key here is that you're getting a new expiration time. That's the whole point when you think about it. You want to have an access token that has a new life span of 60 days. So you're doing the refresh correctly.

The best way to think about it is that LinkedIn will give you an access token when you go through the refresh steps. It may be the same access token you had before (in which case you can do a check in your code so that you don't need to update your database) or it may be a brand new access token.

Joined: 2012-10-11
Oct 13, 2012

So there is nothing weird when i did the refresh about 10 times one after another and I still got the same token every time? And one more question to be 100% clear about whole process : with refreshed/renewed access token i also get refreshed/renewed access token secret, I am correct?

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Oct 14, 2012

So both the access token and the access token secret could be the same as you had before. However, their expiration will be refreshed back to 60 days (in seconds). In other words, you could potentially have the same token/secret but now the life span will be reset to extend for another 60 days. So no, there's nothing weird when you did a refresh and got back the same token and secret.

Hope that helps,
Kamyar

Joined: 2012-10-11
Oct 15, 2012

It helped alot big thanks!

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Oct 15, 2012

Awesome. Yes, the refresh procedure can be a bit confusing at first but hopefully the updated docs and explanation will help others out as well.

- Kamyar

Emily Glass's picture
Joined: 2012-10-25
Nov 13, 2012

I have a question: when (exact date) was the change released to make token expire after 60 days? I thought it was August 6th, however I am seeing tokens created after that date continue to live even today...so I'm thinking maybe the change went out a bit later? Anyone know the exact date the token life was changed? Thanks.

Tim Drijvers's picture
Joined: 2011-11-30
Jan 31, 2013

Are there any further details on this matter?

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Jan 31, 2013

Any API key (so the key used by the application itself) that was created after August 7th is binded to this 60 day lifespan. In other words, if your API key was registered after Aug 7th and you created an access token, that token has a 60 day life.

Your API key probably hasn't been migrated yet, that's why the access tokens are long lived. Easiest way to confirm this is to see if the OAuth dialog is the old style (that don't present member permissions to the user) or by going to your developer page to view the application's configuration and see if "Use Member Permissions" is checked. if it's not checked, your key isn't migrated yet.

Paul Lewis's picture
Joined: 2013-01-29
Feb 5, 2013

hi all,
I am Using Scribe for my LinkedIn App. I want to refresh my token every 58 days after authentication.
i am using this code to get new Token, but it is not working. pls help

OAuthService service = new ServiceBuilder()
.provider(LinkedInApi.class)
.apiKey("API_KEY")
.apiSecret("API_SECRET")
.debug()
.scope("r_fullprofile r_emailaddress r_network r_contactinfo rw_nus rw_groups w_messages")
.build();
Token accessTokenUser = new Token("ABDCDGD", "XYZABDC");
Token requestToken = service.getRequestToken();
OAuthRequest request = new OAuthRequest(Verb.POST, service.getAuthorizationUrl(requestToken));
service.signRequest(requestToken, request);
Response response = request.send();

The response contains an HTML not that token, secrets.

nerya cohen's picture
Joined: 2012-12-03
Feb 17, 2013

Hi!
I try to refresh the access token with this lines:

consumer = OAuth::Consumer.new(LINKED_IN_CONFIG['api_key'], LINKED_IN_CONFIG['secret_key'], @@config)
access_token = OAuth::AccessToken.new(@@config, user.linkedin_token, user.linkedin_secret)

I get back this lines. but the "params" filed is empty- then I couldnt see the field "oauth_expires_in" to check its really refresh the token
#<OAuth::AccessToken:0x***********
@consumer=
{:site=>"https://api.linkedin.com",
:authorize_path=>"/uas/oauth/authenticate",
:request_token_path=>
"/uas/oauth/requestToken?scope=r_basicprofile+r_fullprofile+r_network+r_emailaddress+r_contactinfo+rw_groups+rw_nus",
:access_token_path=>"/uas/oauth/accessToken"},
@params={},
@secret="********************",
@token="*******************">

any advise??
thanks!

nerya cohen's picture
Joined: 2012-12-03
Feb 17, 2013

Hi!
I try to refresh the access token with this lines:

consumer = OAuth::Consumer.new(LINKED_IN_CONFIG['api_key'], LINKED_IN_CONFIG['secret_key'], @@config)
access_token = OAuth::AccessToken.new(@@config, user.linkedin_token, user.linkedin_secret)

I get back this lines. but the "params" filed is empty- then I couldnt see the field "oauth_expires_in" to check its really refresh the token
#<OAuth::AccessToken:0x***********
@consumer=
{:site=>"https://api.linkedin.com",
:authorize_path=>"/uas/oauth/authenticate",
:request_token_path=>
"/uas/oauth/requestToken?scope=r_basicprofile+r_fullprofile+r_network+r_emailaddress+r_contactinfo+rw_groups+rw_nus",
:access_token_path=>"/uas/oauth/accessToken"},
@params={},
@secret="********************",
@token="*******************">

any advise??
thanks!

nerya cohen's picture
Joined: 2012-12-03
Feb 17, 2013

Hi!
I try to refresh the access token with this lines:

consumer = OAuth::Consumer.new(LINKED_IN_CONFIG['api_key'], LINKED_IN_CONFIG['secret_key'], @@config)
access_token = OAuth::AccessToken.new(@@config, user.linkedin_token, user.linkedin_secret)

I get back this lines. but the "params" filed is empty- then I couldnt see the field "oauth_expires_in" to check its really refresh the token
#<OAuth::AccessToken:0x***********
@consumer=
{:site=>"https://api.linkedin.com",
:authorize_path=>"/uas/oauth/authenticate",
:request_token_path=>
"/uas/oauth/requestToken?scope=r_basicprofile+r_fullprofile+r_network+r_emailaddress+r_contactinfo+rw_groups+rw_nus",
:access_token_path=>"/uas/oauth/accessToken"},
@params={},
@secret="********************",
@token="*******************">

any advise??
thanks!

omkumar dheewar's picture
Joined: 2013-03-21
Mar 23, 2013

how to get access token in javascript page

Shikha A. Sehgal's picture
LinkedIn Employee
Joined: 2012-07-27
Mar 25, 2013

hey Omkumar:

Please refer to our JavaScript API docs to learn how to use them. You do not need to get an access token in order to use the JavaScript APIs, that process is done in the background once the use authenticates your application.

Joined: 2013-03-28
Mar 28, 2013

Hi,

Since i am new to this, Can anyone assist me on "What is the procedure for getting the Access Token".

Thanku

Shikha A. Sehgal's picture
LinkedIn Employee
Joined: 2012-07-27
Mar 28, 2013

hey Nazima:

Follow the steps given in our Authentication guide, that explains how to create a new app, get access tokens and then make a LI API call.

Joined: 2013-03-28
Mar 28, 2013

Hi Shikha,
My Project is something like this.
I have an WebPage, when User logs into that Webpage he should be able to view his Linkedin profile as well his Friends Profiles. and we are developing that application using Java.
Using Source Code i need to access the public Profiles.
Please guide whether i can get this information.

Regards,
Nazima

Shikha A. Sehgal's picture
LinkedIn Employee
Joined: 2012-07-27
Apr 1, 2013

hey Nazima:

You can access public profiles of logged in users as explained in our Profile API doc. Go through our Connections API doc to understand how you can access certain profile fields of user's connections.

In general, our documents are quite details and will guide you on how you can use different APIs that we offer for your particular use case. Hope this helps.

Sheikh Azad's picture
Joined: 2010-03-18
Apr 18, 2013

I am using oauth2 to authenticate users. I am storing their access tokens. But when they come back to the website. when we try to access the users account with the stored token. It always fails. I get error http code 401.But after the authentication the same code works fine.

Do you have any documentation to show how we can authenticate those users who have authorized thru the oauth2 endpoint authorize?

Shikha A. Sehgal's picture
LinkedIn Employee
Joined: 2012-07-27
Apr 22, 2013

hey Ben:

For the safety of our member's data. all access token expire after 60 days. You can however extend the tokens in increments of 60-days, for more details refer to this doc - http://developer.linkedin.com/documents/handling-errors-invalid-tokens

Shikha A. Sehgal's picture
LinkedIn Employee
Joined: 2012-07-27
Apr 22, 2013

hey Sheikh:

An oauth2 access token is valid for 60 days and if the user comes back to your app after that duration then the access token is expired and will fail. You can extend the token in increments of 60-days, for more details refer to this doc - http://developer.linkedin.com/documents/handling-errors-invalid-tokens

Claudio Pomo's picture
Joined: 2013-04-02
Jun 18, 2013

Hi, is possible to do this with spring social api for Linkedin?

Venkatrao Kannam's picture
Joined: 2013-04-17
Jun 19, 2013

hi
http://api.linkedin.com/v1/people/id=abcdefg
could sombody please help me from where i can get id for this url

Rajesh D.T's picture
Joined: 2013-06-06
Jun 20, 2013

Hi,
Anyone knows if you can use the same API key that was created to make API calls from server side code; in the Javascript API calls too?
I am getting an invalid Api key javascript error. This API key works fine in my server side code as I have a valid access token generated from this API key. Any ideas?
I've added my Javascript API domain name as http://localhost. Not sure if this is correct.

Joined: 2013-06-06
Jun 26, 2013

How to post in group of LinkedIn made by a user by using syndication from our application.

Parth Barot's picture
Joined: 2012-06-25
Jul 15, 2013

Hi everyone,

We are using linkedin API to fetch user data, and we have user's token/secret. We connect to linkedin using these token/secret and fetcht user's data.

Now, as it is mentioned, the user token expires in 60 days once its generated. In our app, the user may not be logging in again but the application itself runs in background to analyze the data.

Do we have anything in the API, which can provide support to regenerate/refresh the token/secret pair for next 60 days? Facebook has such facility, where we can call the aPI with current token and it returns with the new ones.

Please help, this is really bugging us.

Parth

Joined: 2013-07-15
Jul 16, 2013

Hi,
From my knowledge it is not possible... they want user to be logged in..for us it is also something what require us to change application behaviour.
Best Regards
Aleksandra

Joined: 2012-03-01
Jul 31, 2013

Parth/Aleksandra,

Have you guys been able to work around this problem? Our app (Android as well as iOS) allows users to signin to LinkedIn but now that tokens expire in 60 days, I am struggling to figure out how to renew the token without affecting the user experience. If you guys have any ideas, please share on this forum.

Subra

Joined: 2012-03-01
Jul 31, 2013

Kamyar,

This is in reference to post #6. May be I am missing something here, but what you recommend in your post ("Be sure to hit the/Authenticate endpoint and not the /Authorize endpoint") and what is documented in the Authentication document are completely out of sync. The authentication document doesn't talk about exchanging the authorization token for an access token but to get an authorization token, one HAS to hit the authorize url first.

Why is the documentation and the responses from LinkedIn partner engineers so confusing? What I and many others like myself, are trying to do is nothing new or out of the ordinary. We are just trying to renew a token before it expires in a way that is transparent to the user. And as you can imagine, most of us are trying to do this on the mobile platform rather than in a web app.

So I have 2 requests/questions for you:

1.Does linkedin plan on adding an API call for renewing the access token which doesn't require developers to jump thru all these hoops? Something like what facebook offers for token renewal.
2. In the absence of above, can you please create a detailed doc that walks us thru the process of renewing a non expired, valid token? pseudo code, request/responses will be super helpful.

Thanks,
Subra

Phil Kells's picture
Joined: 2012-02-08
Aug 20, 2013

If I'm understanding all of this correctly... lets say I have a scenario whereby some of my users only need to interact with the linkedin API (ie post an update) a few times a year (say twice) - in absence of another process that renews their token every 59 days, regardless of the user wanting to access the integration or not - these users would need to re-authorise my linkedin app every time they try and use the integration assuming is was more than 60 days between uses ???

I really hoping I have this wrong...

Joined: 2012-03-01
Aug 22, 2013

Phil, your understanding is correct.

Aleksandra Studenna's picture
Joined: 2013-07-10
Aug 23, 2013

Hi, It should be said and written in manual. With new change it is not possible to renew access token without user logged in. If you are able to store username/password than maybe it is possible. My problem is that we don't have access to user accounts.
Best Regards
Aleksandra Studenna

Blake Acheson's picture
Joined: 2012-04-12
Aug 27, 2013

While I understand the concept behind this decision (reducing spam etc.) this cripples the API to the point of uselessness for a lot of use-cases. Not to mention, this completely deviates from all other social network APIs that readily provide indefinite offline access. I really hope LinkedIn revisits this issue.

Adam Trachtenberg's picture
LinkedIn Employee
Joined: 2011-06-30
Aug 27, 2013

Blake --

Thanks for understanding the reasons behind this. As far as I know, Facebook has a similar policy (with a few exceptions for desktop/mobile/ads):

https://developers.facebook.com/roadmap/offline-access-removal/

Do you see different behavior or am I looking at an out of date page?

Rafael Gomes de Oliveira's picture
Joined: 2013-08-28
Aug 28, 2013

Adam,

With the facebook api i can make calls using the secret key of the app and the user id therefore it is not necessary user's access token once it has authorized the application.

Is there something similar in Linkedin API?

Ricky Ricky Bell's picture
Joined: 2013-06-18
Sep 6, 2013

#37 Subra Aswathana : I agree completely. Will LinekdIn reflect some day that too many people are having troubles with the way refreshing tokens work?

Om Deshpande's picture
Joined: 2012-01-21
Sep 11, 2013

Why not encourage users to de-authorize spammy apps themselves, instead of penalizing all app developers and users with this 60 day rule? This just complicates things for everyone.

Lee Fu's picture
Joined: 2013-06-19
Sep 11, 2013

We are always looking to improve our API to create an experience which will be the best balance of both worlds for developers, users, and LinkedIn. As of now there is no way to get a token that never expires. However the refresh process is straightforward and should be the way to implement applications from now on.

https://developer.linkedin.com/documents/handling-errors-invalid-tokens

As this thread is resolved it will be closed for comments.

Thanks,
-Lee

Topic locked