By providing valid LinkedIn credentials and clicking on the "Allow Access" button, the user is approving your application's request to access their member data and interact with LinkedIn on their behalf. This approval instructs LinkedIn to redirect the user back to the callback URL that you defined in your redirect_uri parameter.
Attached to the redirect_uri will be two important URL arguments that you need to read from the request:
- code — The OAuth 2.0 authorization code.
- state — A value used to test for possible CSRF attacks.
The code is a value that you will exchange with LinkedIn for an actual OAuth 2.0 access token in the next step of the authentcation process. For security reasons, the authorization code has a very short lifespan and must be used within moments of receiving it - before it expires and you need to repeat all of the previous steps to request another.
Before you accept the authorization code, your application should ensure that the value returned in the state parameter matches the state value from your original authorization code request. This ensures that you are dealing with the real original user and not a malicious script that has somehow slipped into the middle of your authentication flow. If the state values do not match, you are likely the victim of a CSRF attack and you should throw an HTTP 401 error code in response.