Getting an OAuth Token


OAuth Requests

There are several ways to create OAuth requests.  We strongly suggest that you use one of the existing OAuth libraries rather than trying to "roll your own".

Specific language examples:


When using one of the OAuth libraries, you don't really need to know the specifics of the authentication process beyond the basic flow.  However, if you're interested in knowing more about the process, it is detailed here.

Request a requestToken

This request is made with a POST request to https://api.linkedin.com/uas/oauth/requestToken

For the requestToken step, the following components should be present in your string to sign:

POST request
oauth_callback (optional)
oauth_consumer_key
oauth_nonce
oauth_signature_method
oauth_timestamp
oauth_version

Example response:

Response request
oauth_token=94ab03c4-ae2c-45e4-8732-0e6c4899db63&oauth_token_secret=be6ccb24-bf0a-4ea8-a4b1-0a70508e452b&oauth_callback_confirmed=true&oauth_expires_in=599

Redirect the Member to our Authorization Server

Use the requestToken to forward the member to our authorization server where they'll authorize your application. Because LinkedIn runs on OAuth 1.0a, you must not add an oauth_callback parameter to this step. You need only forward the member to one of our authorization URL with your requestToken specified as a query parameter called "oauth_token".

Which URL you should use depends on whether you are using LinkedIn for authentication in your application or if you have your own user authentication system.  Read the OAuth Overview and LinkedIn Details section on Authorization Paths to determine which path you should use for authorization.

The callback for this request will do the following:

  • Redirect to the oauth_callback parameter given in the request with the oauth_token and oauth_verifier information
  • If oauth_callback is not set, send the same information back to the "OAuth Callback URL" set for your application (see the OAuth Overview and LinkedIn Details section on Application Settings for more information)
  • If neither is set, or if the oauth_callback is set to 'oob', the user will get an "out-of-band" experience (generally used for applications running outside of a web browser), where they will get the oauth_verifier as a PIN which they need to input into your application to complete the authorization process.

You'll want to temporarily store the oauth_verifier so that you can use it as part of your accessToken request in the next step.  The oauth_token is the same requestToken you received in the first step.

In the examples used so far, the callback specified in the requestToken step would receive a request like this: http://localhost/oauth_callback?oauth_token=94ab03c4-ae2c-45e4-8732-0e6c4899db63&oauth_verifier=98295
If the member chooses to deny access to your application (by pressing the Cancel button in the authorization flow), we redirect them back to your server. We send them to either the "Integration URL" you defined for your application, or, if that value is blank, the OAuth callback URL you passed in your request.  However we do not send a token or secret. Instead your callback will include the url parameter oauth_problem with the value user_refused.

Request the Access Token

We're almost done with the authorization dance. This is the last step where you obtain an access token that actually gives you the agency to make requests on behalf of the LinkedIn member.

This request is made with a POST request to https://api.linkedin.com/uas/oauth/accessToken

For the accessToken step, the following components should be present in your string to sign:

POST request
oauth_consumer_key
oauth_nonce
oauth_signature_method
oauth_timestamp
oauth_token
oauth_verifier
oauth_version

As a response to your request for an accessToken, your accessToken will be in the "oauth_token" field and an oauth_token_secret.
Example Response:

Response request
oauth_token=f862f658-ad89-4fcb-995b-7a4c50554ff6&oauth_token_secret=a252d40e-f7f0-4f31-a362-3451e168d5a5

You now have an access token and can make LinkedIn API calls. Please ensure to keep the user access tokens secure, as agreed upon in our APIs Terms of Use.

OAuth Documentation