Permission scope in request token query not working

104 posts / 0 new
Last post
Adam Trachtenberg's picture
LinkedIn Employee
Joined: 2011-06-30
Aug 22, 2012

John Gotts --

I was told we do allow and ignore the scope parameter for older keys. I can't this easily myself right now, but let me know if you're seeing otherwise.

In the meantime, I've had no problems using the pecl OAuth library. What PHP libraries are you using? I can see if I can reproduce this and assist.

Joined: 2011-07-20
Aug 23, 2012

Hi, Adam,

Thanks. The very old OAuth that we use for twitter, tumblr, facebook, linkedin, .. came circa June 2010 with Twitter SDK - open source under an MIT license. I will replace with the pecl OAuth library. [one less "mod" is always good.]

I will re-test the case of using the scope parameter w/ old api key and let you know if my first impression was correct.

Regards,
John Wm

Joined: 2011-07-20
Aug 23, 2012

Adam,

I just got a chance to re-test my finding about not-backward-compatible. However, in fairness, since I'm not using the latest SDK from LinkedIn, I should attempt to use it before reporting. I might not be able to report back until tomorrow.

Sabuj Kundu's picture
Joined: 2011-07-18
Aug 24, 2012

Hi if I want to add more scope what should be the line
$token = $this->consumer->getRequestToken(array('scope' => 'r_contactinfo'));

Joined: 2011-07-20
Aug 24, 2012

Adam,

I dusted off linkedin_3.2.0.class.php sdk + demo and used my recently-acquired api credentials to test the new scope approach, with the idea of then using an old api key to test backward compatibility.

I was able (briefly) to make the 3.2.0 demo work by appending ?scope=...+...+... to self::_URL_REQUEST in retrieveTokenRequest method, and converting + to space in the scope parameter value in OAuthRequest _construct for use in the signature.

That appeared to be a solution for the 3.2.0 demo, until I tried to post a share, which failed indicating (in content.php of the demo) that spaces in oauth parameters are invalid. This seemed like a re-incarnation of the original content.php script with filler oauth key & secret, but it wasn't the case.. they were properly filled. Then things deteriorated with "bad signature" returned from LinkedIn on most future requests.

Is it possible that testing (getting authorization, revoking it, re-getting it) is causing LinkedIn to respond differently -- maybe caching state instead of starting from scratch?

I will continue my attempt to get the demo code running consistently with scope specified, and then test the backward compat question.

Joined: 2011-07-20
Aug 25, 2012

Adam - i've determined that scope is allowed (and properly ignored) for use of api w/ old keys (glad I was wrong).

Joined: 2011-07-20
Aug 25, 2012

I believe this will be my final reply on the issue of how to get the scope parameter to work consistently for those who might not be using pecl OAuth..

This hack is seriously not satisfying. One element of the solution is to append ?scope=....+...+... to the requestToken url as a query string (as specified in http://developer.linkedin.com/documents/authentication). The other element is "proper" translation of + to either a space or %20, depending on the context, in the OAuthUtil::urlencode_rfc3986 method. If any of the request scope parameters are present in the string being encoded, assume this is the requestToken case and translate the + to a %20. Otherwise, translate it to a space. This permits the LinkedIn end of OAuth to be satisfied for the requestToken signature, and avoids another type of error regarding spaces not permitted in OAuth parameters which occurs when doing other stuff, such as getting network updates..

I've seen some other blogging at LinkedIn suggesting that another option is to separate the scope parameters with commas, but that lead to other hacks. Good luck.

Adam Trachtenberg's picture
LinkedIn Employee
Joined: 2011-06-30
Aug 25, 2012

John --

Sorry to hear this has been so vexing. With the pecl OAuth library (pecl.php.net/oauth), all I did was:

$oauth->getRequestToken("https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile+r_emailaddress");

And it just worked. Is there a reason you cannot use this instead? No hacks.

Alternatively, since maybe this is unclear, but it's really a space separated list of scopes, that are URL encoded into your choice of + or %20. Both should work fine. The "+" is a URL encoded space. I know normally encoded characters look like %XX, but + is an oddball special case alias for %20. We just thought using + would be easier to read. Have you tried using that as input and seeing if everything gets encoded properly without the hacks?

Syed Shariq's picture
Joined: 2012-05-20
Aug 26, 2012

https://api.linkedin.com/uas/oauth/requestToken?scope=r_fullprofile%20r_network%20r_emailaddress%20rw_nus

Would work.

Sabuj Kundu's picture
Joined: 2011-07-18
Aug 26, 2012

For ZEND I managed the multiple scope in this way

$consumer->getRequestToken(array('scope' => 'r_basicprofile r_fullprofile r_network rw_nus'))) ; and it worked.

Davide Moraschi's picture
Joined: 2010-08-17
Aug 27, 2012

Hi all,

I solved the issue following Jack Newcombe advice (thanks Jack you saved my day) and adding %26scope%3Dr_network%2520r_contactinfo%2520rw_groups to the base string.
Notice the SPACE is actually "double urlencoded" to %2520

best regards,
Davide

Joined: 2011-08-11
Aug 27, 2012

Hi guys,

i am trying to get the email address using C# programming language. have anyone of you cracked it and got the "getting email address" part working using REST API.

Please let me know.

Hugo Delsing's picture
Joined: 2011-03-30
Sep 3, 2012

After a lot of testing I finally figured it out. The documentation mentions you should seperate the rights with a + sign (space) but when encoding you should actually use a space and not a plus sign.

Double encoding a space can be: space > + > %2B
But what it needs to be is space > %20 > %2520

Cong Peijun's picture
Joined: 2012-08-09
Sep 6, 2012

I use the new key and it's ok.

Joined: 2011-11-09
Sep 10, 2012

Hi,

I had to re-create my application to get access to the new login page.

Otherwise, it worked just fine.
I'm using C# with Spring.NET Social extension for LinkedIn ( http://www.springframework.net/social-linkedin/ )

Erik Herz's picture
Joined: 2012-08-13
Sep 10, 2012

Cross-posted but just in case someone was following from this thread:

I got it. I made these two changes to the library and the demo.php respectively

const _URL_REQUEST = 'https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile+r_emailaddress';

$response = $OBJ_linkedin->profile('~:(id,first-name,last-name,picture-url,email-address)');

Joined: 2011-10-17
Sep 19, 2012

Hello Eugene, I'm having same problem as you described, can you tell me how can I create new application keys? Thanks a lot

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Sep 19, 2012

Laurentiu, we've documented in several places where to create new application keys. I strongly suggest going through the getting started guide then: https://developer.linkedin.com/documents/quick-start-guide

For future reference, you can create a new API key here: https://www.linkedin.com/secure/developer

- Kamyar

Joined: 2011-10-17
Sep 19, 2012

Thanks for the quick answer, but I thought there is something more "special" to do because I have no more solutions left in my problem.
I am using "linkedin_3.2.0.class.php" library and everything works fine but when I try to ask for other permissions beside default ones like "rw_nus", it gives me this problem: "[oauth_problem] => signature_invalid".
I've tryed to place this link "https://api.linkedin.com/uas/oauth/requestToken?scope=rw_nus" urlencoded or to generate new api keys but still I didn't succed to solve the problem. Here's what answer I get when I try to retreive the request token:
Array
(
[linkedin] => Array
(
[oauth_problem] => signature_invalid
[oauth_problem_advice] => com.linkedin.security.auth.pub.LoginDeniedInvalidAuthTokenException while obtaining request token for :POST&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth%2FrequestToken&oauth_callback%3Dhttp%253A%252F%252Finnergo.videoles.nl%252Fcms%252Flinkedin%252Flinkedin.php%253Faction%253Dnew%26oauth_consumer_key%3Dv9jhvt4w4lj5%26oauth_nonce%3D827f0ebac4b77bbb3954c0a00883d8c6%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1348122241%26oauth_version%3D1.0
OAU:v9jhvt4w4lj5|*01|*01|*01:1348122241:IRCtarCxlE0hvE97RY5abORNbgo=
)

[info] => Array
(
[url] => https://api.linkedin.com/uas/oauth/requestToken
[content_type] => application/x-www-form-urlencoded;charset=UTF-8
[http_code] => 401
[header_size] => 977
[request_size] => 461
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.673353
[namelookup_time] => 0.002724
[connect_time] => 0.161184
[pretransfer_time] => 0.490206
[size_upload] => 0
[size_download] => 667
[speed_download] => 990
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0.673336
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)

[oauth] => Array
(
[header] => Authorization: OAuth realm="",oauth_version="1.0",oauth_nonce="827f0ebac4b77bbb3954c0a00883d8c6",oauth_timestamp="1348122241",oauth_consumer_key="v9jhvt4w4lj5",oauth_callback="http%3A%2F%2Finnergo.videoles.nl%2Fcms%2Flinkedin%2Flinkedin.php%3Faction%3Dnew",oauth_signature_method="HMAC-SHA1",oauth_signature="IRCtarCxlE0hvE97RY5abORNbgo%3D"
[string] => POST&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth%2FrequestToken&oauth_callback%3Dhttp%253A%252F%252Finnergo.videoles.nl%252Fcms%252Flinkedin%252Flinkedin.php%253Faction%253Dnew%26oauth_consumer_key%3Dv9jhvt4w4lj5%26oauth_nonce%3D827f0ebac4b77bbb3954c0a00883d8c6%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1348122241%26oauth_version%3D1.0%26scope%3Drw_nus
)

[error] => OAuth callback URL was not confirmed by the LinkedIn end-point
[success] =>
)

Joined: 2011-08-11
Sep 20, 2012

thanks guys i was able to make changes to the API calls to get access tokens and to achieve this i have to use new app to get email permission scope.

i have used the endpoint to get request Token like this 'https://api.linkedin.com/uas/oauth/requestToken?scope=r_fullprofile r_emailaddress'
then used to get acessTokens and using API call
'https://api.linkedin.com/v1/people~:(id,emailaddress,name)&accessToken=<<MyUser'sToken>>'
Got it running.
Thanks for the replies form all the other guys in the forum who contributed.

Joined: 2012-07-04
Sep 21, 2012

Thanks :) Its working fine for me. It is very important to renew the API_Key and Secret keys

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Sep 21, 2012

Glad to hear it's working for you

Joined: 2012-07-24
Sep 24, 2012

https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile,r_contactinfo,r_fullprofile
permissions must be separated by comma

Joined: 2012-07-24
Sep 24, 2012

i worked with it got success

bhanuprasad saketi's picture
Joined: 2012-09-20
Sep 25, 2012

hi...i am new with linkedin i have fetch the connections in linkedin i got oauth for linkedin but i want give the premissions for linked in in documentation i got https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile+r_emailaddress but i don't know where i will write this...please help me any one

bhanuprasad saketi's picture
Joined: 2012-09-20
Sep 25, 2012

ServletContext context=request.getServletContext();
HttpSession session=request.getSession(true);
String consumerkey=context.getInitParameter("consumerkey");
String consumersecertkey=context.getInitParameter("consumersecertkey");
//String consumerkey="zsh83d6cgqe3";
//String consumersecertkey="3G5tgc0JIzUApSTJ";
session.setAttribute("consumerkey", consumerkey);
session.setAttribute("consumersecertkey", consumersecertkey);
System.out.println(consumerkey+""+consumersecertkey);
LinkedInOauth oauth=new LinkedInOauth();
LinkedInOAuthService oauthService=oauth.getOauth(consumerkey, consumersecertkey);
String callbackUrl="http://localhost:8080/LinkedProject/CallBackUrl.jsp";

LinkedInRequestToken requestToken = oauthService.getOAuthRequestToken(callbackUrl);

System.out.println(requestToken);
//String url="https://api.linkedin.com/uas/oauth/requestToken?scope=r_network";

session.setAttribute("requestToken", requestToken);
String authUrl=requestToken.getAuthorizationUrl();

response.sendRedirect(authUrl);
}

CallBackUrl.jsp

LinkedInRequestToken requestToken = (LinkedInRequestToken) session.getAttribute("requestToken");
String oauthVerifier = request.getParameter("oauth_verifier");
System.out.println(oauthVerifier);
final LinkedInOAuthService oauthService = LinkedInOAuthServiceFactory.getInstance().createLinkedInOAuthService( consumerkey,consumersecertkey);

LinkedInAccessToken accessToken = oauthService.getOAuthAccessToken(requestToken, oauthVerifier);
final LinkedInApiClientFactory factory = LinkedInApiClientFactory.newInstance(consumerkey,consumersecertkey);
final LinkedInApiClient client = factory.createLinkedInApiClient(accessToken);

//to fetch the connections...
Person profile = client.getProfileForCurrentUser();
out.println("firstname-"+profile.getFirstName());
String url="https://api.linkedin.com/uas/oauth/requestToken?scope=r_network";
//Connections con=client.getConnectionsByUrl(url);

now i want to fetch the connections where i write the code
please help me...

bhanuprasad saketi's picture
Joined: 2012-09-20
Sep 28, 2012

i am using java in my project how to get the acess for connections and networkupdates() where i use this in linked in.

https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile+r_emailaddress
please help me

Joined: 2012-10-11
Oct 16, 2012

@Jens Uffhaus

I'm using the Hammock library in C# to authenticate with LinkedIn and I'm facing the infamous permission scope problem. The following is the code I'm using

var credentials = new OAuthCredentials
{
CallbackUrl = "http://myurl:5645/Callback.aspx",
ConsumerKey = "myconsumerkey",
ConsumerSecret = "myconsumersecret",
Type = OAuthType.RequestToken,
};
var client = new RestClient
{
Authority = "https://api.linkedin.com/uas/oauth",
Credentials = credentials
};
var request = new RestRequest
{
Path = "requestToken?scope=r_basicprofile%2Br_emailaddress",
};
RestResponse response = client.Request(request);

String[] strResponseAttributes = response.Content.Split('&');
string token = strResponseAttributes[0].Substring(strResponseAttributes[0].LastIndexOf('=') + 1);
string authToken = strResponseAttributes[1].Substring(strResponseAttributes[1].LastIndexOf('=') + 1);

Session["Token"] = token;
Session["TokenSecret"] = authToken;

Response.Redirect("https://www.linkedin.com/uas/oauth/authorize?oauth_token=" + token);

Then I try read the user's email using this code I get "access to email address denied" message

var request = new RestRequest { Path = "people/~/email-address" };

var credentials = new OAuthCredentials
{
Type = OAuthType.AccessToken,
SignatureMethod = OAuthSignatureMethod.HmacSha1,
ParameterHandling = OAuthParameterHandling.HttpAuthorizationHeader,
ConsumerKey = "myconsumerkey",
ConsumerSecret = "myconsumersecret",
Token = Session["AccessToken"].ToString(),
TokenSecret = Session["AccessSecretToken"].ToString(),
Verifier = Session["Verifier"].ToString()
};

var client = new RestClient()
{
Authority = "http://api.linkedin.com/v1",
Credentials = credentials,
Method = WebMethod.Get
};
var userEmail = client.Request(request);
String content = userEmail.Content;

I tried the code below in vain
var request = new RestRequest
{
Path = "/requestToken?scope=r_basicprofile%20r_emailaddress",
};

How should I correctly encode permission scope using Hammock C# library. Any advice for C#

@Rajesh Kasani

You indicated that you have got it working (emailaddress) for C#. Did you use the C# hammock library for OAuth? I'm trying to retrieve email address in C# using Hammock library. Your guidance will be greatly appreciated.

- -
Joined: 2012-10-18
Oct 18, 2012

https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile,r_emailaddress

Joined: 2012-10-11
Oct 18, 2012

Thanks @Prajwal for your suggestion however it did not work.

Sam Mathew's picture
Joined: 2012-10-16
Oct 22, 2012

When i am tring to access the details of coonections of a user throught my app which is authorised I am getting the following error.

<error>
<status>403</status>
<timestamp>1350897135366</timestamp>
<request-id>P5LALEBF2S</request-id>
<error-code>0</error-code>
<message>Access to connections denied</message>
</error>

can anybody please help me out as in which permission should be changed..

Shikha A. Sehgal's picture
LinkedIn Employee
Joined: 2012-07-27
Oct 22, 2012

Sam:

You need to have the "r_network" permission in order to call the Connection API, please refer to the documentation here

Julien Devouassoud's picture
Joined: 2012-10-24
Oct 26, 2012

Yes, the key really is to re-create an app. otherwise the r_thingToAuthYouWant won't be taken in account.

thanks to all for those posts

Wolf Loescher's picture
Joined: 2012-10-30
Oct 30, 2012

I'm working on a Windows 8 JavaScript app, and the LinkedIn JavaScript API methods are (apparently) incompatible with IE10 (the engine used for Metro apps). Does anybody have some pointers to either a basic OAuth library or how to manually create a valid request to send to the requestToken URI? Thanks in advance.

Joined: 2012-10-05
Oct 30, 2012

how to retrieve request token in android im using following method but not working
LinkedInRequestToken liToken =oAuthService.getOAuthRequestToken("https://api.linkedin.com/uas/oauth/requestToken?scope=rw_groups");

can anyone plzz help thanks !!

Muthukumar Lakshmipathi's picture
Joined: 2012-07-25
Oct 30, 2012

I spent lot of time for setting Multiple permissions, your post was helpful for me
Thanks Jack Newcombe,

Franklin Raja's picture
Joined: 2012-08-08
Oct 31, 2012

I am trying to use the below API to get the full profile details of my 1st & 2nd degree connection.

"https://api.linkedin.com/v1/people/id=" + id + ":(id,first-name,last-name,skills,distance,educations,picture-url,headline,date-of-birth,main-address,phone-numbers,location:(name),industry,num-connections,positions:(title,start-date,end-date,is-current,company:(id,name,size)),languages,public-profile-url)"

This API returns only the basic profile details, that has below details:
First Name, Last Name, Headline, Location, Industry
And Experience Details like Company Name, Title, Start Date, End Date.

But, it does not return Eduction, Skill and Contact Details like email. How to get these details?
Please let me know,If I upgrade my account and then register the application under that account and use that API key, will I then be able to fetch education, skills and contact details for all types of connections [including 1st degree, 2nd degree and out of network profiles]?
Also, please let me know if there is any other options to achieve this.

Thanks,

Srinath Sastry's picture
Joined: 2012-10-29
Nov 8, 2012

I was trying out this example at https://github.com/litl/rauth/blob/master/examples/linkedin-web.py

I get a 403, Access to connections denied error and it returns KeyError: '_total'.

r_network option is present. Has anyone else faced this issue?. Went through the forums and added %20 | %2520 | , | to the scope option with same results.

Any help in this regard would be appreciated.
thanks

Joined: 2011-07-25
Nov 13, 2012

Hello to get permissions to work with C# and Hammock you need to set use the request parameter to set the scope
ex

var request = new Hammock.RestRequest { Path = "requestToken" };
request.AddParameter("scope", "rw_nus");

If you need multiple permissions separate them with %20 as stated previously.

ex
request.AddParameter("scope", "r_fullprofile%20rw_nus%20r_emailaddress");

Matt Roden's picture
Joined: 2012-02-24
Nov 22, 2012

Thanks Kevin! You saved me hours of frustration! :)

raju p's picture
Joined: 2012-12-02
Dec 15, 2012

Hello Heba Zaidan,

Thanks alot for your post it's working great.

Joined: 2012-12-15
Dec 16, 2012

Thank You Kamyar.. It was useful for me.

Joined: 2012-05-21
Dec 18, 2012

LinkedIn::Forbidden: (403): Access to people search denied.
I am using the linked in api with a Rails application.Every time I am getting this error.I've proper credentials for API and oauth token.

Thanks,
Gaurav

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Dec 18, 2012

Guarav, please provide an example of your full request, specifically how you're providing the scope parameters. Which Ruby gem are you using for OAuth?

Ioannis Suarez-Zafra's picture
Joined: 2012-06-12
Jan 4, 2013

Please don't forget to go to your app settings in linkedin and upgrade you api to permanently accept users permissions.
Without that, it will keep showing the basic dialog box regardless of the scope you ask for.

Kamyar Mohager's picture
LinkedIn Employee
Joined: 2012-04-04
Jan 4, 2013

Thanks Ioannis.

For those that are curious, we had a blog post detailing how to migrate your app to use member permissions: https://developer.linkedin.com/blog/migrating-member-permissions-0

Thanks,
Kamyar

Chris Weller's picture
Joined: 2012-10-22
Jan 16, 2013

@Adam - thanks so much for your comment! It fixed my similar issue! I originally was trying %20 for both the parameters and signature based string.

Stefan Kistner's picture
Joined: 2012-09-24
Feb 6, 2013

In .NET (this example in VB) it works the following way:
Simple add a parameter in the "GenerateSignatureBase" like this:

parameters.Add(New QueryParameter("scope", "r_network%20r_fullprofile%20r_emailaddress"))

You HAVE to use the '%20' as delemiter (SPACE, comma or + won´t work) and you should not use the URLEncoding-Feature.

Joined: 2013-02-03
Feb 12, 2013

I am using linkedin-j-core-1.0.416.jar
my code:
LinkedInApiClientFactory factory = LinkedInApiClientFactory.newInstance(CONSUMER_KEY, CONSUMER_SECRET);
LinkedInApiClient linkedInApiClient = factory.createLinkedInApiClient(token, tokenSecret);

I need to add scope also, how can i do that? is there an extension to this jar?

Alen Bubich's picture
Joined: 2011-08-13
Feb 12, 2013

Quentin, I'm having the exact same problem. Any luck solving this?

Pages