"LinkedIn supports programmatic refresh tokens for a limited set of partners on a case-by-case basis."
(cf: https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens?context=linkedin/context)
"LinkedIn has introduced Refresh Tokens with OAuth 2.0. This feature is currently available for a limited set of partners. It will be made GA in the near future."
(cf: https://developer.linkedin.com/docs/Refresh-Tokens-with-OAuth-2)
What are the required steps to get the scope for refresh tokens' use ?
I can't modify the scopes myself on my app, I actually have the "Member Authorization" permission with scopes:
r_emailaddress
r_liteprofile
w_member_social
It's actually the more permissive authorization available on linkedin developer platform.
Related
Background
Google is kicking people out of Google Sign-in JavaScript library (platform.js) and pushing people to migration Sign In With Google by Google Identity Services library (gsi/client). (Migration Guide)
Anyone must go through this migration by March 2023. The new flows are cool (e.g. One-tap) and should make life easier.
Problem
In the new flow, Authentication and Authorization are separated! If you just need basic scopes (e.g. email, basic profile), then Authentication should be enough.
With that, you get an ID Token (a JWT) that you can verify on server-side.
The problem is, revoking this token (as listed in Revocation Methods) can only be done either manually by the user in their own Google Account, or it should be done on client-side. No server-side option is present.
The Case
Our platform supports sign in with Google, Apple, and email/password.
The same user uses Google Sign In on Web and Apple Sign In on their iPhone. (same email address.)
Per the forces of Apple, since June 30, 2022, we should provide a delete account option.
User signs in with Apple Sign In to our platform and requests deleting their account.
We can (and must, again per Apple) revoke Sign In with Apple by calling Apple's Server-to-Server Revoke Tokens endpoint. But Google doesn't provide such an option for ID-Token. :(
Any idea how to solve this?
Current alternatives
1) Use Authorization and store access_token and refresh_token
(Per Google Identity > OAuth 2.0 > Server-side Web Apps > Revoking a token) OAuth revoke takes an access token or refresh token.
The old gapi library of Google Sign In for Web, was granting access token on sign in. The new one doesn't. So we have to explicitly ask for an access token via Authorization flows, and store it/refresh-token in the DB and maintain it. That's overkill, but works.
2) Do it in client-side and cover the most, not all
It can be done on the client-side when the request for delete-account is sent to the server. However, it only covers signed-in-with-Google users. This means that the mentioned use case (signed in with Apple) wouldn't be covered. But, hey, it's a cheap and fast solution!
We have been trying to pull in like/comments for LinkedInposts that have been made by our application but it seems we are getting an error message. I am posting this on behalf of my developer. We have these products enabled.
Share on LinkedIn, Sign in with LinkedIn and Marketing Developer Platform
We have these permissions:
r_organization_social
r_1st_connections_size
r_ads_reporting
r_emailaddress
rw_organization_admin
r_liteprofile
r_basicprofile
r_ads
rw_ads
w_member_social
In trying to determine what might be happening my developer seems to think we must have r_member_social but seems to be a restricted permission per the LI faq.
"How do I get access to r_member_social?
r_member_social is a closed permission, and we are not accepting access requests this time due to resource constraints. Learn more about available Marketing APIs and permissions."
But in looking into this my thinking is that we should be able to get any likes/comments from posts that WE have made on behalf of an authenticated user via r_organization_social.
You don't have enough permissions to access the post as r_member_social is needed for it, and currently it is restricted by linkedIn.
The r_organization_social permission is used to Retrieve the organization's posts, comments, reactions, and other engagement data of the authenticated user.
It is something, that suppose your authenticated member has a page on LinkedIn and then This permission is used to get the data of the post that are from the organization page. It does not allow you to the data of the simple post that you post as the user.
More detail about the permissions can be found here.
r_member_social is needed for it, and currently, it is restricted by LinkedIn. There are just providing w_member_social access. You can check that as well by selecting your app from My Apps, navigating to the Products tab, going to the Marketing Developer Platform product, and clicking on view endpoints. then you will be able to see the permissions available.
Alternatively, you can explore this marketing documentation more.
I am working on Linkedin API Integration V2 & trying to get all companies/organization of an authenticated account but i got this error
{ StatusCodeError: 403 - {"serviceErrorCode":100,"message":"Not enough permissions to access: GET-roleAssignee /organizationalEntityAcls","status":403}
Although my app has permission [rw_organization_admin]
It's necessary to add the rw_organization_admin scope, and also trough the LinkedIn Developer portal adding to your app the product: "Marketing Developer Platform", that is the one containing the endpoint: /v2/organizationAcls. To add the "Marketing Developer Platform" product, LinkedIn will ask you to compile a form, and than they will accept or refuse your request.
I want to retrieve a accesstoken for the linkedInAPI to post and retrieve shares.For that I am authentication the linkedIn API auth by specifing the scope
r_member_social w_member_social r_basicprofile
but the authentication URL is failing with error
Scope "r_member_social" is not authorized for your
application.
Why is my app does not authorize r_member_social, what should I do to authorize it ?
Utilizing r_member_social requires special approval from LinkedIn.
To gain access to r_member_social, you first need to apply to and be approved for the LinkedIn Marketing Developer Program.
Then, submit your request for r_member_social via the LinkedIn Developer Partner Support Site. They'll know how to help get you approved. However, they may not approve you - the docs state that r_member_social "is granted to select developers only."
In V2 w_member_social replaced with w_share
Plese check the document
https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq?context=linkedin/consumer/context
Asking the question here as the linkedin help forum directed to post things related to API on stackoverflow.
I am developing a feature on our org website to show the top 5 company page feeds setup in linkedin. Ive already setup the required access in developer.linkedin and the whole flow works in the developer.linkedin REST console to fetch the feed.
I am currently recieving this error when i try from my machine to fetch the auth token with a valid client id and secret created.
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=OMITTED&client_secret=OMITTED
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens" }
The documentation also mentions that this flow isn't available by default and the users will need to contact linkedin.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
"By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow."
What would be the next steps in requesting access to this flow for my org?.
As outlined here:
By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow.
The next step would be to contact them directly or Apply to become a Partner
and if accepted you'll be granted access to additional data outside of the scope of the user authentication flow (which basically means you'll be able to make calls directly from your application to access certain information)
I think the answer is well explained by API-University, since the creation of an application in order to get the access_token, will solve the communication issue.
Link to the explanation: https://api-university.com/blog/api-usage/how-to-use-the-linkedin-api-and-oauth/