Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can LinkedIn's access token renewal flow be performed on the server?

In the Facebook's Graph API, once we have initially authenticated the user, we can interact directly with the API (from the server) to obtain a long-lived page access token. This long-lived page access token never expires. (https://developers.facebook.com/docs/facebook-login/access-tokens/)

In reading LinkedIn's documentation, it appears that it is impossible to obtain an access token with an indefinite (non-expiring) access token. It seems that they expire every 60 days. However, these access tokens can be refreshed before the 60 days is up.

What isn't entirely clear from the documentation is whether or not the access token renewal can be performed on the server alone without the client's interaction. The language of the documentation suggests that the interaction of the client (browser) is required, but nothing is explicitly stated.

So, my question is, is it possible to renew a LinkedIn access token using the server alone, without the interaction of the client (browser)?

Relevant LinkedIn reference material: https://developer.linkedin.com/documents/handling-errors-invalid-tokens

like image 652
rinogo Avatar asked Dec 10 '13 02:12

rinogo


People also ask

What is difference between access token and refresh?

Refresh Token are typically longer lived than Access Tokens and used to request a new Access Token without forcing user authentication. Unlike Access Tokens, Refresh Tokens are only used with the Authorization Server and are never sent to a web service.

How does access token and refresh token work?

Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.

What happens when access token expires?

When the access token expires, the application will be forced to make the user sign in again, so that you as the service know the user is continually involved in re-authorizing the application.


2 Answers

As it turns out, the access tokens of linkedin can not be refreshed without having linkedin user logging in to linkedin. Please refer to the first comment here by LinkedIn employee which clearly states a note that "this refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again."

I guess that is now a major issue for those who were previously storing the linkedin access tokens to database for later use.

I am mentioning few links here which refer to the issue with refreshing linkedin oauth2 tokens (hope this makes it clear for everyone who is struggling with the same issue):

1) This refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again.

2) There is no way to refresh the token using the old authentication token/secret. User needs to log into linkedin in order for you to refresh the tokens. We use this flow as it protects our members and their data in the best possible manner.

3) Refreshing an access token is very simple and can happen without an authorization dialog appearing for the user. In other words, it's a seamless process that doesn't affect your application's user experience. Simply have your application go through the authorization flow in order to fetch a new access token with an additional 60 day life span. When the following conditions exist: -User is still logged into Linkedin.com -The current access token isn't expired (within the 60 life span) We will automatically redirect the user back to your redirect_uri without requiring them to reauthorize your application. If they don't exist, we'll prompt them to login and then redirect them.

4) We have also standardized the duration of the authorization tokens. Previously, members could choose to grant tokens that were as short as one day or as long as forever. Now all tokens are 60 days in length, with the ability for you to extend them in a series of rolling 60 day increments whenever the member comes back to your application. To prevent a bad user experience in your application, be sure to proactively refresh tokens and elegantly route any expired tokens through a refresh flow.

5) As long as the user is logged into LinkedIn and their current access token hasn't expired, you can fetch an access token with a 60 day lifespan the next time the user comes to your application.

like image 193
exAres Avatar answered Oct 09 '22 07:10

exAres


I had the same question and the LinkedIn docs and forum posts are confusing, but I'm pretty sure now that it's not possible to do it programmatically without user intervention (i.e. the user needs to login to your app via LinkedIn auth to refresh the token).

like image 26
Chu Yeow Avatar answered Oct 09 '22 05:10

Chu Yeow