Linkedin API access token generation error - linkedin

i am trying to generate access token to collect linkedin data. I followed the instructions provided in the linkedin API documentaion. I created an app in developers page and got the following:
Application Details
• Company:
Fresher
• Application Name:
xxxxxxxxxx
• API Key:
75pcum6zb2cael
• Secret Key:
xxxxxxxxxxxxxxxx
• OAuth User Token:
xxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
• OAuth User Secret:
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
Using the API Key i generated the authorization_code with the URL:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=75pcum6zb2cael&state=DCEEFWF45453sdffef424&redirect_uri=https://www.google.com
but when i finally tried to generate the access token using the below URL, i got an error response :
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=https://www.google.com&client_id=75pcum6zb2cael&client_secret=xxxxxxxxxxxxxxxx
{"error_description":"missing required parameters, includes an invalid
parameter value, parameter more than once. : Unable to retrieve access
token : appId or redirect uri does not match authorization code or
authorization code expired","error":"invalid_request"}
Even after multilple validations, the same error messages appears.
please help. thanks.

finally, i got the access token. The authorization code expires in 20 seconds, so the access token URL must be called immediately after generating the authorization code.

Well, I went through the same problem and here is the process which i went through to fix it.
STEP#1: Authentication:
Firstly, the authentication API is to be hit to fetch the authentication token.
For this, a URL with Encoded parameters is to be hit as a GET request.
Example: https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=[your_client_id]&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flinkedin%2Fcallback&scope=r_emailaddress
Please note that here, the parameters are to be encoded programatically.
My non-encoded callback URL is: http://localhost:8080/linkedin/callback
Therefore, my encoded URL is: http%3A%2F%2Flocalhost%3A8080%2Flinkedin%2Fcallback
Once you hit this as a GET request, you will receive a callback with a code and an optional state parameter.
STEP#2: Getting Access Token:
There are three pre-requisites to this call:
The call must be POST
It must have a header Content-Type with value application/x-www-form-urlencoded
The data must be sent in request body.
The value of redirect_url MUST BE SAME as in the previous call.
In my case, it was: http://localhost:8080/linkedin/callback
Now the trick here is, that the call in (STEP#1 Authentication) was a GET request. Therefore, the redirect_url had to be programatically encoded.
Since the second call for is POST and is also application/x-www-form-urlencoded encoded, therefore the request body parameters do not have to be explicitly encoded. So, in this case, the redirect_uri would be sent as-is (http://localhost:8080/linkedin/callback)
Here is a snapshot of my Access Token API via postman:

My problem was in redirect_uri which contained url with query parameters (like redirect_uri=encodeURIComponent(http://example.com/callback?query=string)).
If redirect url is completely different linkedin will show you an error before showing you login form, but if redirect_url matches what you specified in linkedin app and contains extra query parameters, you'll not get an error, so once login form is submitted you'll get an invalid code and as a result error as above.

This error may be scopes related.
On the details of your application when selecting scopes there is this message:
Selecting both r_basicprofile and r_fullprofile is redundant.
r_basicprofile will be selected if neither r_basicprofile nor
r_fullprofile is checked.
If you are selecting both r_basicprofile and r_fullprofile just uncheck r_basicprofile or remove it from your Authorization Code Request.

I had the same problem, in my case I was using different redirect_uri for authorization and for access token. I had "proxy": "localhost:3001" in my package.json, and it overriden my request_uri.
So my suggestion: make sure the hosts and redirect_uri are all the same for two requests (both backend and server side).

Related

Why Doesn't my Authorization Header need "Bearer"?

I am currently working with a group of applications that are running on two separate, but equivalent, environments (Referred to as ENV1 and ENV2). I have been using OAuth 2.0 for Authorization and when I receive a response after requesting an access token from the OAuth service (I am making my requests through Postman) I get a response that looks like this from ENV1 and ENV2:
As far as I am aware, I believe that this "token_type": "Bearer" means that when I send in the access_token to my application I need to do so like this:
By sending in the token through the Authorization header, prefixed with "Bearer". This approach works fine on ENV1 but on ENV2 the request fails unless I send in the token alone with no "Bearer" prefix:
If I send in the Authorization header with the "Bearer" prefix, I get a 401 Unauthorized error as the response. This is the help tip that Postman provides(Emphasis mine):
Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
The problem here is that there IS a WWW-Authenticate header field, and it contains "Bearer", which I would assume is a "challenge applicable to the requested resource" seeing as the token response contained "token_type": "Bearer":
Questions:
Why would this be different between environments?
How is this even possible? The documentation I have found on OAuth 2.0 shows that the "Bearer" prefix is needed for requests like the ones I am trying to make. (for example, in section 2.1 of the documentation here)
From your description, it seems that the environments are not actually identical. E.g. maybe ENV2 is behind a gateway that adds the Bearer prefix to the header. Or the API on ENV2 (or the gateway) is configured to read the header without the prefix.
When the OAuth Server returns the access token, it gives you the type - a bearer token. That type means, that the token is just this - a bearer token - as opposed to a Proof-of-Possession token. When you send a bearer token to an API, you don't have to provide any additional information that would prove that you are the owner of the token. (you can compare bearer with the DPoP standard)
The Bearer Token Usage standard does require you to use the prefix Bearer in the authorization header (as you pointed out), but it doesn't mean that all the APIs and gateways implement that standard correctly, or that they use that standard at all.
To summarize:
it's up to the gateway/API to decide in what format they want the Authorization header, and that has nothing to do with the type of the token (a bearer token). It's nice when they use standards, but they don't have to.
In your setup, there must be some kind of difference between the environments if the same request is treated differently between them. If you own the environments you should investigate what is configured differently. If you don't own them, you should contact the owner's support to solve the issue.

Bearer token invalid on here fuel prices API even though apikey is included as parameter

I am new to Here and am trying to make my first API call but I keep getting back this error:
{"Type":"Unauthorized","Message":["Bearer token invalid. Bearer missing or bearer value missing."]}
Here's the URL that I'm using to call the API:
https://fuel-v2.cc.api.here.com/fuel/stations.json?apiKey=${hereApiKey}&prox=${lat},${lng},1600
I have also tried including the api key in an authorization header and get the exact same thing. I've tried with apikey= and apiKey= and the results are the same. I've also tried moving the apikey param to after the prox param (though I know that shouldn't matter). I feel like I'm following the documentation when it says that I can use api key authentication for this call and that app code authentication is deprecated, so I'm not sure what I'm doing wrong.
I am currently on a Here Freemium plan and making this call from a Node JS server application.
The token expires in 24 hours, you need to generate a new token and test again
In order to use OAuth token authentication please use the below request
https://fuel-v2.cc.ls.api.here.com/fuel/stations.xml?prox=52.516667,13.383333,5000
And in header please include
Authorization = Bearer "Oauth token"
other way to include the token is -
https://developer.here.com/documentation/fuel-prices/dev_guide/topics/request-here-environments.html

Linked In API returning 403 (Forbidden) when a request for email-address is made

I am trying to get a user's email address from their Linked In.
I complete the whole OAuth 2.0 Authorization Code Flow and get an access token but when I make a GET request to the endpoint https://api.linkedin.com/v2/me?projection=(email-address), it returns a 403 (Forbidden) HTTP status code.
Here is what happens:
When I specify r_liteprofile r_email-address as the permission in the scope parameter when making a request for an authorization code, and when asking for data, as the fields, the parameter projection=(localizedFirstName, localizedLastName, email-address), I get a 200 HTTP Status code but in the result JSON, I get only the localizedFirstName and localizedLastName values.
If I specify just the r_emailaddress permission in the scope parameter and projection=(email-address) when asking for data, I receive a 403 (Forbidden) Status Code.
If I specify just r_emailaddress in the scope field and leave out specifying any fields, i.e. I hit the https://api.linkedin.com/v2/me endpoint without any parameters (but the access token sent appropriately in the Authorization header as a Bearer scheme token), I get a 403 (Forbidden) HTTP Status Code.
My application does have permission for r_emailaddress as that is a basic permission that is granted to all applications upon creation and does not need approval.
Am I hitting the right endpoint for getting the email address? Everything seems to be alright but I still get a 403. What's going on?
The request to retrieve the email address is:
GET https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
You need to request the r_emailaddress scope to use this endpoint.
See https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin?context=linkedin/consumer/context for reference.

Amending scope values in token request causes problems accessing APIs afterwards

I am encountering the following error after amending a scope value being sent in the headers of a token POST request against the token API endpoint for our WSO2 instance:
ERRORS.900901
Invalid CredentialsAccess failure for API: /scheme/v1, version: v1 with key: fa41109938522762bcca953336f0e0e2.
Make sure your have given the correct access token
This error comes after I successfully get a token returned and then use that token for a an API setup in WSO2 publisher. This particular endpoint in the error does not actually have any scopes applied to it which causes me some confusion about why this error comes up since its not a scope protected endpoint so my token shouldn't matter?
This happened after I realised there was a typo in a scope value I was sending in the POST request and so I updated it accordingly.
If I leave the typo in I can use the token generated for a subsequent API request and dont get this error.
Am I right in thinking that tokens are generated based on the list of scopes returned back by the Token API for the given user?
I have tried manually revoking the access token using a cURL command as documented here and generating a new one using the corrected scope names, but still this error comes back after trying to access that API.
What could be the issue here?
Thanks
This error comes after I successfully get a token returned and then
use that token for a an API setup in WSO2 publisher. This particular
endpoint in the error does not actually have any scopes applied to it
which causes me some confusion about why this error comes up since its
not a scope protected endpoint so my token shouldn't matter?
This also can happen if there were any errors while validating the token. This doesn't look like a scope issue. So if you can provide the corresponding logs in wso2carbon.log, I can tell the exact reason.
Am I right in thinking that tokens are generated based on the list of
scopes returned back by the Token API for the given user?
Yes.

Withings API No Response on request_token

I have setup everything as described in the steps in answer to the post withings api authentication.
However, when i copy and paste the final URL generated in Step 2 (Send request to the URL:), I get no response on my browser and the screen remains empty.
Is there any reason for why it might be happening ?
OAUTH TOKEN and OAUTH SECRET - will I get two of them appended to callback url ?
Each paramter string was supposed to be URL encoded in signature i.e URLEncoder.encode("key=value","UTF-8")
I have used temboo API to get the user tokens.
They have two steps Initial oauth and final oauth.

Resources