OAuth - now for Authentication
Would you like your users to "Login with LinkedIn" on your site? It's now possible!
Last week we deployed an important upgrade to our OAuth infrastructure at LinkedIn that makes life easier for our LinkedIn Developers and Members. The authorization and login process has been streamlined especially for developers that want to use LinkedIn as a sign-in service. LinkedIn members will find a easier, simpler way to quickly authorize LinkedIn applications.
Authentication: Login with LinkedIn
For sites that primarily use LinkedIn for authentication (e.g. by showing users a "Login with LinkedIn" button), we now offer an alternative to the normal OAuth authorization flow:
This 'authenticate' endpoint functions identically to the authorization endpoint except for one scenario. If the following are all true:
- The current user is logged into LinkedIn.
- The current user has already granted an access token to the requesting application.
- The access token has not expired.
Then we will automatically (and immediately) redirect to the callback URL you specify, without interruption. This provides a great user experience - just a one click login! If any of the above conditions are not true, the member will see the normal authorization flow.
To provide a consistent user experience across sites which leverage LinkedIn for authentication, we created four standard buttons. Please use them so that your users (and our users) benefit from a familiar LinkedIn experience across the web.
User Interface Changes
If you already have your own account infrastructure, we're still looking out for you. We often see sites send already-authorized users through our OAuth authorize flow. Perhaps the remote site lost the token or never persisted it. This situation results in users being asked for username/passwords again and again, with a new token created every time (a frustrating process, to be sure).
So, we've made some improvements here. Instead of requiring the user to login every time and create a new access token, we now allow the user to reuse an existing access token and quickly return to the site. In most cases the user simply needs to click 'Continue' and they are back at your site immediately.
As part of this streamlining process (and to leverage cookie persistence), we changed the OAuth authorization url to live on the www subdomain of linkedin.com:
We recommend that all developers switch to this as soon as possible. To help you autoconfigure your application we also return the current authorization URL as part of the requestToken response as the xoauth_requesrt_auth_url parameter.
We have subtly changed the behavior when the user presses the Cancel button in the authorization flow. In prior releases we always sent the user to the "Integration URL" you defined for your application. Now, if that URL is blank we redirect to the OAuth callback URL. However we do not send a token or secret. Instead your callback will include the url parameter oauth_problem with the value user_refused.
Token Expiration Times
Some of our endpoints now return the expiration time of the token. The requestToken response now includes the oauth_expires_in parameter. The value of this is the number of seconds remaining for the token. We'll be adding this to the accessToken response in a future release.
You can now invalidate an OAuth token for your application. Just send an OAuth signed GET request to:
A 200 response indicates that the token was successfully invalidated.
And of course, send us your feedback and show off your apps!