i would like implement OAuth 2.0 Client Credentials Flow (2-Legged), but as mentioned here : https://learn.microsoft.com/en-us/linkedin/shared/authentication/client-credentials-flow or https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow.
It's written : "Your application cannot access these APIs by default. Contact us to have your application granted permission to use this flow."
I don't find any contact (I tried linkedin support, they sent me on stack overflow..), does anyone has already done this setup ?
Thanks :)
I am in a similar boat and it seems that you will have to apply for further permissions on their partner programme page: https://developer.linkedin.com/partner-programs
I know this may be a bit of a late response but other developers stumbling across this may benefit from this answer.
Related
Asking the question here as the linkedin help forum directed to post things related to API on stackoverflow.
I am developing a feature on our org website to show the top 5 company page feeds setup in linkedin. Ive already setup the required access in developer.linkedin and the whole flow works in the developer.linkedin REST console to fetch the feed.
I am currently recieving this error when i try from my machine to fetch the auth token with a valid client id and secret created.
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=OMITTED&client_secret=OMITTED
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens" }
The documentation also mentions that this flow isn't available by default and the users will need to contact linkedin.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
"By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow."
What would be the next steps in requesting access to this flow for my org?.
As outlined here:
By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow.
The next step would be to contact them directly or Apply to become a Partner
and if accepted you'll be granted access to additional data outside of the scope of the user authentication flow (which basically means you'll be able to make calls directly from your application to access certain information)
I think the answer is well explained by API-University, since the creation of an application in order to get the access_token, will solve the communication issue.
Link to the explanation: https://api-university.com/blog/api-usage/how-to-use-the-linkedin-api-and-oauth/
I have an app that is protected by google-oauth (3-legged OAuth) at the nginx-level (using https://github.com/cloudflare/nginx-google-oauth). As you may know, it requires the user to be logged in or manually login to a google account using the browser.
I'd like to access this same protected app through the CLI/programatically. It's true that nginx-google-oauth provides some means that make it easy to do that: the _token_curl endpoint prints outs the headers ready to be used with curl. The problem though is that that token has an expiration date and to get it I need to be logged in or login manually to my google account.
I'm wondering if I could use a Google Service Account (2-legged OAuth) to access the google-oauth-protected app? I've searched around in the documentation (https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and from what I understood, it's only meant to access Google APIs.
Could someone shed some light on the subject? Thanks!
Just for anyone else finding this, the question was answered on GitHub and it is not supported by nginx-google-oauth:
https://github.com/cloudflare/nginx-google-oauth/issues/21
I will not post any of my code, because this is more just a question to know if it's possible.
I've been googling a lot, but didn't find any concrete solutions. I hope someone can help me here.
The facts:
I have a login form
I need to authenticate the credentials over a web-service
I need to send both username and password, to get back a token if logged in successfully.
The problems:
With a custom provider I'm always stuck with the fact that they only have direct access to the userename, like: loadUserByUsername. I need to access the password there as well, to be able to send this to my web-service.
I have only 1 web-service which sends only back a token if provided username and password are correct.
Question:
How can I access and send both username and password to my web-service?
Thanks!
Generally speaking one would authenticate using an API token to a web service.
That API token is usually issued via an auto-generation script when the user account is created (either by an admin or by a registration form). This token is then passed by the API call to the web-service in a header which then uses it to authenticate the user.
As far as Symfony goes, by far the easiest way of doing this is with Guard. A new component built by Ryan Weaver from KNP.
KNPUniversity has a great tutorial on it (for free).
Note that this is only one option of many, and the 'best' way is probably mainly opinion based and directly related to the use case in question. But it might help you get on the right track.
If the token you want to create should be a JSON Web Token (JWT), a very conventient bundle is LexikJWTAuthenticationBundle, which does almost all of the work automatically. If you just follow the documentation, you will have it quickly up and running. You can combine it with FOSUserBundle, with a custom User entity or whatever.
In LinkedIn API, the access tokens will be expired after 60 days, I want to refresh them in 60 days before they are expired in a console application. I viewed this document: https://developer.linkedin.com/blog/tips-and-tricks-refreshing-access-token, and I also viewed many posts in this forum, but it looks like the refresh flow is still now clear for me.
Please note that:
I need to refresh access tokens from a console application - it is not a website, it is a tool running in backend, it has no cookies and cannot open web page to ask user to login.
And if there are some sample code (not for website) that should be better, for example: C# or Java code.
You can use curl to accomplish this. For whatever programming language you use, there should be a relevant curl library.
The way this works is as follows:
You send a POST request to https://api.linkedin.com/uas/oauth/requestToken
You receive back a request token. Use that token in place of XXX in the following call: https//www.linkedin.com/uas/oauth/authenticate?oauth_token=XXX
You will receive the response you need, which includes the access token, which you need to save. It will not expire for the next 60 days.
If you could elaborate on the issues you're having, that would certainly help.
I see what you mean now. Linkedin doesn't allow you and will never allow you to do this. The reason access tokens expire is in order to add an extra layer of privacy protection for users. Linkedin would never want you to access user data if the user's aren't actively using your application. Of course, you might have a situation where no action is required on their part, that's the only drawback. Therefore, you would need to give them a reason to visit your application at least once in each token's lifetime.
I hope this helps.
This may seem like a totally idiotic question but I am looking at writing a web app/service that will utilize google's calendar API's and I needed to see if I have the ability to write to a users calendar when the user isn't logged into there google account. I couldn't find any clear documentation that illustrated whether or not I could do this or not. I pictured the authorization process something the user agrees to when they sign up for my site and then my app can go add things to there google calendar. Does anyone know if this is possible? If so, can someone hook me up with a link that illustrates how that works?
Thanks in advance
You're thinking about "logged in" wrong.
Because web connections don't persist between requests, any web-site or web-service is checking headers such as the Authorization header and/or Cookie header (depending on what authorisation method is used), with each and every request and matching the request to a user.
Hence logging in* means that the web client (browser or whatever) is set to use the details that relate to a particular user in making the request.
When you use the API, the authorisation information you send, is performing the same job. As such, when the user is using your API they are logged in through your API, whether they're logged in through a web page or other application or not.
E.g.:
My web browser is currently logged into google to an account I use for work stuff.
My mail client is logged into google calendar to an account I use for private stuff.
When I look at google calendar, I see that I don't have any calendars (I don't use it on my work account).
When I look at Thunderbird, I see my calendars.
If I peek at the traffic being sent by the browser and mail client, on both I see headers like:
Authorization: GoogleLogin auth=...stuff I'm not going to share or it would help you impersonate me
So, I'm "logged in" on Thunderbird because the code using the API logs me in itself.
Indeed, the same application can access multiple accounts and be "logged in" to all of them, as long as it has the authentication details to do so.
*Strictly, some would argue that "logged in" isn't the correct term at all, and refers to different sorts of access mechanism where there is state on the connection. Whatever about that opinion, we use the metaphor of being or not being logged in, because users understand it.
The answer to your question is yes. Use OAuth 2 and the Authorization Code flow (web server flow), with offline enabled. Store the refresh tokens (which last indefinitely until the user has revoked), and you'll be able to upload events to Google Calendar even when the user isn't currently logged in.
More info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Credits to Ryan Boyd for this note.