如何在LinkedIn中获取访问令牌OAuth 2.0身份验证应该作为POST请求？

Question

Sorry if this is a simple question.

I'm a LinkedIn newbie and am attempting to complete the OAuth 2.0 process to obtain the 60-day "access token" after obtaining the temporary "authorization code" as described at https://developer.linkedin.com/documents/authentication .

I had no problems with part 3a - obtaining the temporary authorization code. I simply redirected the user to the LinkedIn URL:

https://www.linkedin.com/uas/oauth2/authorization?response_type=code
                                       &client_id=YOUR_API_KEY
                                       &scope=SCOPE
                                       &state=STATE
                                       &redirect_uri=YOUR_REDIRECT_URI

and after the user granted permission they are redirected back to my app, and the returned parameters are checked to see if everything went well and the temporary authentication code is retrieved as one of the form parameters returned, as per the docs.

However, I am confused as to how to proceed with step 3b - exchanging the authorization code for an access token (which can then be used to make API requests). My confusion is because even the docs show show what appears to be a typical GET URL with parameters, it says "POST" next to it. So I believe a POST request must be made instead of a GET.

But what do they mean by this? Why do the docs give a URL with query parameters rather than detailing the needed POST request, with a URL and how the parameters should be formatted in the body? I'm basically just not sure how I should form my request for step 3b.

I'm assuming I can't simply redirect my users to the 3b URL as I did with the 3a URL, right? That would be easy if I could.

The language I'm using is server-side JavaScript. I can redirect. I can form and make POST requests if I know the needed format. I can create GET requests. I'm just not familiar with this situation, where the docs which say the request should look like this:

https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code
                                       &code=AUTHORIZATION_CODE
                                       &redirect_uri=YOUR_REDIRECT_URI
                                       &client_id=YOUR_API_KEY
                                       &client_secret=YOUR_SECRET_KEY

yet at the same time indicate that it is a POST request.

Is there some short-cut method of using that URL as is to make a POST request? Or am I supposed to understand how to take that URL and turn it into a typical post request and put all the parameters into the body and just make my request to https://www.linkedin.com/uas/oauth2/accessToken itself?

Sorry if it's something that should be obvious. It's just not something I have encountered before.

Any help here would be appreciated.

Thanks,

doug

Answer 1

Consider as a tutorial and it will smoothly drive you to the access token :)

Step 1:

After you have created the app:

write this as I will follow with the same
I had created a folder "/var/www/html/code"

Step 2:

call:

https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id= enter your client_id &redirect_uri=http%3A%2F%2Flocalhost%2Fcode&state=987654321&scope=r_basicprofile

reply:

http://localhost/code/?code=AQTnRRDM_pMw6Nn8jutiCKTH3xmqHOPnVb4udfGI7KbK7mLhie2XqcEZf1IOycVdgGC5mamWEiFd3DxJznxJZYaix_UCGlIH_PbJJZG720LBk5heSrE&state=987654321

You will get different reply but structure will be same.

Step 3:

curl -X POST --http1.1 " https://www.linkedin.com/oauth/v2/accessToken " --cookie "X-Csrf-Token: 987654321" -d "grant_type=authorization_code&code=AQTnRRDM_pMw6Nn8jutiCKTH3xmqHOPnVb4udfGI7KbK7mLhie2XqcEZf1IOycVdgGC5mamWEiFd3DxJznxJZYaix_UCGlIH_PbJJZG720LBk5heSrE&redirect_uri=http%3A%2F%2Flocalhost%2Fcode&client_id= client_id &client_secret= client_secret " -H "Content-Type: application/x-www-form-urlencoded"

Answer 2

When following the spec you should send the parameters in a POST with Content-Type set to application/x-www-form-urlencoded , so regular form post but it turns out that LinkedIn also allows to exchange the code for a token by using a plain GET with the parameters in the query part of the URL as your sample shows. It is not recommended (and in violation of the spec) to use GET as parameters end up on logs, browser history and the GET is more vulnerable to hijacking attacks.

Here's a (edited) CURL trace of a GET to LinkedIn:

* Connected to www.linkedin.com (108.174.2.129) port 443 (#0)
...
> GET /uas/oauth2/accessToken?grant_type=authorization_code&code=<code>&redirect_uri=<url>&client_id=<id>&client_secret=<key> HTTP/1.1
> User-Agent: curl/7.39.0
> Host: www.linkedin.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< P3P: CP="CAO CUR ADM DEV PSA PSD OUR"
< Content-Type: application/json;charset=UTF-8
< Content-Language: en-US
< Content-Length: 219
< Vary: Accept-Encoding
< Date: Wed, 31 Dec 2014 11:04:55 GMT
< X-FS-UUID: 5b7c888b35f0b413d05936cac02a0000
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Li-Fabric: PROD-ELA4
< Strict-Transport-Security: max-age=0
...
< 
* Connection #0 to host www.linkedin.com left intact
{"access_token":"<>","expires_in":5178866}