By providing valid LinkedIn credentials and clicking on the
"Allow Access" button, the user is approving your
application's request to access their member data and interact with
LinkedIn on their behalf. This approval instructs LinkedIn to
redirect the user back to the callback URL that you defined in your
Attached to the redirect_uri will be
two important URL arguments that you need to read from the request:
code — The OAuth 2.0 authorization code.
state — A value used to test for
possible CSRF attacks.
The code is a value that you will
exchange with LinkedIn for an actual OAuth 2.0 access token in the
next step of the authentcation process. For security reasons, the
authorization code has a very short lifespan and must be used within
moments of receiving it - before it expires and you need to repeat all
of the previous steps to request another.
Before you accept the authorization code, your application should
ensure that the value returned in the state parameter matches the state value from your original authorization
code request. This ensures that you are dealing with the real original
user and not a malicious script that has somehow slipped into the
middle of your authentication flow. If the state values do not match,
you are likely the victim of a CSRF attack and you should throw an HTTP 401 error code in response.