Authorization Code Flow (3-legged OAuth)

The Authorization Code Flow is used for applications to request permission from a LinkedIn member to access their account data. The level of access or profile detail is explicitly requested using the scope parameter during the authorization process outlined below. This workflow will send a consent prompt to a selected member, and once approved your application may begin making API calls on behalf of that member.

This approval process ensures that LinkedIn members are aware of what level of detail an application may access or action it may perform on their behalf.

If multiple scopes are requested, the user must be consent to all of them and may not select individual scopes. For the benefit of your LinkedIn users, please ensure that your application requests the least number of scope permissions.

Authorization Code Flow

  1. Configure your application in the Developer Portal to obtain Client ID and Client Secret.
  2. Your application directs the browser to LinkedIn's OAuth 2.0 authorization page where the member authenticates.
  3. After authentication, LinkedIn's authorization server passes an authorization code to your application.
  4. Your application sends this code to LinkedIn and LinkedIn returns an access token.
  5. Your application uses this token to make API calls on behalf of the member.

Prerequisites

  1. Have a LinkedIn Developer application to create a new application or select your existing application
  2. Have prior authorization access granted for at least one 3-legged OAuth permission.

The permission request workflow is outlined in the Getting Access section.

Step 1: Configure Your Application

  1. Select your application in the LinkedIn Developer Portal
  2. Click the "Auth" tab to view your application credentials.
  3. Add the redirect (callback) URL via HTTPS to your server.

Note

LinkedIn servers will only communicate with URLs that you have identified as trusted.

  • URLs must be absolute:
    • https://dev.example.com/auth/linkedin/callback
    • not /auth/linkedin/callback
  • parameters are ignored:
    • https://dev.example.com/auth/linkedin/callback?id=1
    • will be https://dev.example.com/auth/linkedin/callback
  • URLs cannot include a #
    • https://dev.example.com/auth/linkedin/callback#linkedin is invalid.

If you're using Postman to test this flow, use https://oauth.pstmn.io/v1/callback as your redirect URL and enable "Authorize using browser".

Redirect URLs

Each application is assigned a unique Client ID (Consumer key/API key) and Client Secret. Please make a note of these values as they will be integrated into your application. Your Client Secret protects your application's security so be sure to keep it secure!

OAuth Values

Warning

Do not share your Client Secret value with anyone, and do not pass it in the URL when making API calls, or URI query-string parameters, or post in support forums, chat, etc.

Step 2: Request an Authorization Code

To request an authorization code, you must direct the member's browser to LinkedIn's OAuth 2.0 authorization page, where the member either accepts or denies your application's permission request.

Once the request is made, one of the following occurs:

  1. If it is a first-time request, the permission request timed out, or was manually revoked by the member: the browser is redirected to LinkedIn's authorization consent window.

  2. If there is an existing permission grant from the member: the authorization screen is bypassed and the member is immediately redirected to the URL provided in the redirect_uri query parameter.

auth li

When the member completes the authorization process, the browser is redirected to the URL provided in the redirect_uri query parameter.

Note

If the scope permissions are changed in your app, your users must re-authenticate to ensure that they have explicitly granted your application all of the permissions that it is requesting on their behalf.

GET https://www.linkedin.com/oauth/v2/authorization
Parameter Type Description Required
response_type string The value of this field should always be: code Yes
client_id string The API Key value generated when you registered your application. Yes
redirect_uri url The URI your users are sent back to after authorization. This value must match one of the Redirect URLs defined in your application configuration. For example, https://dev.example.com/auth/linkedin/callback. Yes
state string A unique string value of your choice that is hard to guess. Used to prevent CSRF. For example, state=DCEeFWf45A53sdfKef424. No
scope string URL-encoded, space-delimited list of member permissions your application is requesting on behalf of the user. These must be explicitly requested. For example, scope=r_liteprofile%20r_emailaddress%20w_member_social. See Permissions and Best Practices for Application Development for additional information. Yes

The scopes available to your app depend on which Products or Partner Programs your app has access to. This information is available in the Developer Portal. Your app's Auth tab will show current scopes available. You can apply for new Products under the Products tab. If approved, your app will have access to new scopes.

Sample Request

GET https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id={your_client_id}&redirect_uri={your_callback_url}&state=foobar&scope=r_liteprofile%20r_emailaddress%20w_member_social

Once redirected, the member is presented with LinkedIn's authentication screen. This identifies your application and outlines the particular member permissions/scopes that your application is requesting. You can change the logo and application name in the Developer Portal under My apps > Settings

auth li

Member Approves Request

By providing valid LinkedIn credentials and clicking Allow, the member approves your application's request to access their member data and interact with LinkedIn on their behalf. This approval instructs LinkedIn to redirect the member to the redirect URL that you defined in your redirect_uriparameter.

https://dev.example.com/auth/linkedin/callback?state=foobar&code=AQTQmah11lalyH65DAIivsjsAQV5P-1VTVVebnLl_SCiyMXoIjDmJ4s6rO1VBGP5Hx2542KaR_eNawkrWiCiAGxIaV-TCK-mkxDISDak08tdaBzgUYfnTJL1fHRoDWCcC2L6LXBCR_z2XHzeWSuqTkR1_jO8CeV9E_WshsJBgE-PWElyvsmfuEXLQbCLfj8CHasuLafFpGb0glO4d7M

Attached to the redirect_uri are two important URL arguments that you need to read from the request:

  • code — The OAuth 2.0 authorization code.
  • state — A value used to test for possible CSRF attacks.

The code is a value that you exchange with LinkedIn for an OAuth 2.0 access token in the next step of the authentication process. For security reasons, the authorization code has a 30-minute lifespan and must be used immediately. If it expires, you must repeat all of the previous steps to request another authorization code.

Warning

Before you use the authorization code, your application should ensure that the value returned in the state parameter matches the state value from your original authorization code request. This ensures that you are dealing with the real member and not a malicious script. If the state values do not match, you are likely the victim of a CSRF attack and your application should return a 401 Unauthorized error code in response.

Failed Requests

If the member chooses to cancel, or the request fails for any reason, the client is redirected to your redirect_uri with the following additional query parameters appended:

  • error - A code indicating one of these errors:
    • user_cancelled_login - The member declined to log in to their LinkedIn account.
    • user_cancelled_authorize - The member refused to authorize the permissions request from your application.
  • error_description - A URL-encoded textual description that summarizes the error.
  • state - A value passed by your application to prevent CSRF attacks.

Step 3: Exchange Authorization Code for an Access Token

The next step is to get an access token for your application using the authorization code from the previous step.

POST https://www.linkedin.com/oauth/v2/accessToken

To do this, make the following HTTP POST request with a Content-Type header of x-www-form-urlencoded using the following parameters in the request body:

Parameter Type Description Required
grant_type string The value of this field should always be: authorization_code Yes
code string The authorization code you received in Step 2. Yes
client_id string The Client ID value generated in Step 1. Yes
client_secret string The Secret Key value generated in Step 1. See the Best Practices Guide for ways to keep your client_secret value secure. Yes
redirect_uri url The same redirect_uri value that you passed in the previous step. Yes

Sample Request

POST /oauth/v2/accessToken HTTP/1.1
Host: www.linkedin.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code={authorization_code_from_step2_response}&redirect_uri={your_callback_url}&client_id={your_client_id}&client_secret={your_client_secret}

Access Token Response

A successful access token request returns a JSON object containing the following fields:

Parameter Type Description
access_token string The access token for the application. This value must be kept secure as specified in the API Terms of Use. The length of access tokens is ~500 characters. We recommend that you plan for your application to handle tokens with length of at least 1000 characters to accommodate any future expansion plans. This applies to both access tokens and refresh tokens.
expires_in int The number of seconds remaining until the token expires. Currently, all access tokens are issued with a 60-day lifespan.
{
  "access_token": "AQXNnd2kXITHELmWblJigbHEuoFdfRhOwGA0QNnumBI8X...",
  "expires_in": 5184000
}

Access Token Scopes and Lifetime

Access tokens stay valid until the number of seconds indicated in the expires_in field in the API response. You can go through the OAuth flow on multiple clients (browsers or devices) and simultaneously hold multiple valid access tokens if the same scope is requested. If you request a different scope than the previously granted scope, all the previous access tokens are invalidated.

Step 4: Make Authenticated Requests

Once you've obtained an access token, you can start making authenticated API requests on behalf of the member by including an Authorization header in the HTTP call to LinkedIn's API.

Sample Request

curl -X GET https://api.linkedin.com/v2/me' \
-H 'Authorization: Bearer {INSERT_TOKEN}'

Step 5: Refresh Access Token

Tip

To protect members' data, LinkedIn does not generate long-lived access tokens.

Make sure your application refreshes access tokens before they expire, to avoid unnecessarily sending your application's users through the authorization process again.

Refreshing a Token

Refreshing an access token is a seamless user experience. To refresh an access token, go through the authorization process again to fetch a new token. This time however, in the refresh workflow, the authorization screen is bypassed, and the member is redirected to your redirect URL, provided the following conditions are met:

  • The member is still logged into www.linkedin.com
  • The member's current access token has not expired

If the member is no longer logged in to www.linkedin.com or their access token has expired, they are sent through the normal authorization process.

Programmatic refresh tokens are available for a limited set of partners. If this feature has been enabled for your application, see Programmatic Refresh Tokens for instructions.

Error Handling

401 Unauthorized

401 Unauthorized errors are usually caused by a problem in the request header of your API call. For example, if you don't use a valid access token when you make an API call on behalf of a LinkedIn member, a 401 Unauthorized error is returned. Some common cases are:

Error Type Fix
Unknown authentication schema Unrecognized authentication header schema. Make sure the authentication header follows the format Authorization: Bearer (your access token).
Empty OAuth2 access token The authentication header is missing or empty. Make sure the authentication header follows the format Authorization: Bearer (your access token).
Invalid access token Incorrect access token, make sure you follow the authentication procedure to get a correct access token.
Expired access token The access token has expired, see how to refresh your access token.
The token has been revoked The access token has been revoked by the member from their privacy settings on LinkedIn’s website. To continue using your application, the member must re-authenticate to get a new access token for your application.

403 Access Denied

When your application makes an API call with a member’s access token, LinkedIn checks if the access token has permission to access the API. If the access token does not have the correct permissions, a 403 Access Denied error is returned. When this happens, check the following:

  • Does your application have permissions to make the API call?
  • Does your application ask the user to enable these permissions?
  • Did your application change the scope while requesting an access token?

If you continue to see the error, reach out to your partner technical support channel or https://developer.linkedin.com/support.

Note

A 500 Internal Server Error is returned if there are downstream failures when verifying the access token.