Integrating LinkedIn using OAuth

1. OAuth & LinkedIn

2. Why Should We Integrate
LinkedIn?
• Users can bring their LinkedIn profile and
network in your site
• Access to a network of over 80 million users
• Authentication to your site using LinkedIn APIs
• Search for profiles, connections
• Update LinkedIn status from your site
And many more….

3. LinkedIn Platform Guidelines
• No LinkedIn data can be stored
– Exceptions: Storing the Member ID for subsequent API calls & User’s profile data
when given explicit user permission by the owner of the profile
• Don't share your API keys and secrets with anyone
• Data gathered from one user's LinkedIn account/network may not be
exposed to another user
• You must show the agreement screen in its own window
– URL is visible
– Same browser window/tab or pop-up but NOT an Iframe into the current page
• You cannot provide API access to your customers
• http://developer.linkedin.com/docs/DOC-1091

4. LinkedIn OAuth's Authentication
Model
• You get an API key from LinkedIn. (Consumer Key in OAuth terminology)
• You build a feature into your site that leverages the user's LinkedIn network
• Your user clicks on your UI to request to use that feature.
• You make a call to LinkedIn to ask to use our authentication. This is called getting a Request Token.
• LinkedIn replies with an OAuth Token indicating that you can use the authentication system.
• You send your user to a LinkedIn URL. That URL includes the OAuth Token you got and a few other parameters
such as a URL for LinkedIn to return the user to after granting access.
• The user grants access to your application by signing into that page.
• Upon successful signon, LinkedIn will return the user to your site.
• You will then make a call to LinkedIn to get an Access Token.
• LinkedIn replies with an Access Token for the user. You use that Access Token for any API calls to LinkedIn to
identify the user on whose behalf you are making the call.

6. Anatomy of an OAuth Request
1. Establish a requestToken
– HTTP Method (POST)
– Request URI (https://api.linkedin.com/uas/oauth/requestToken)
– oauth_callback
– oauth_consumer_key
– oauth_nonce
– oauth_signature_method
– oauth_timestamp
– oauth_version
Sample response:
oauth_token=94ab03c4-ae2c-45e4-8732-
0e6c4899db63&oauth_token_secret=be6ccb24-bf0a-4ea8-a4b1-
0a70508e452b&oauth_callback_confirmed=true&oauth_expire
s_in=599

7. Anatomy of an OAuth Request
2. Redirect the User to our Authorization Server
• Forward the user to LinkedIn’s authorization server where they'll
authorize your application
• User decides whether to authorize your application or deny the
request using our standard authenication screen
• One Click Login - Automatically (and immediately) redirect to the
callback URL, if
a. The current user is logged into LinkedIn.
b. The current user has already granted an access token to your application.
c. The access token has not expired.
http://localhost/oauth_callback?oauth_token=94ab03c4-ae2c-45e4-8732-0e6c4899db63&
oauth_verifier=98295
• Cancel Button - either the "Integration URL" you defined for your
application, or, if that value is blank, the OAuth callback URL

8. Anatomy of an OAuth Request
3. Request the Access Token
• Last step - Obtain an access token that actually gives you the agency to make requests
on behalf of the LinkedIn member.
– HTTP Method (POST)
– Request URI (https://api.linkedin.com/uas/oauth/accessToken)
– oauth_consumer_key
– oauth_nonce
– oauth_signature_method
– oauth_timestamp
– oauth_token
– oauth_verifier
– oauth_version
• As a response to your request for an accessToken, your accessToken will be in the
"oauth_token" field and an oauth_token_secret.
oauth_token=f862f658-ad89-4fcb-995b-7a4c50554ff6&oauth_token_secret=a252d40e-f7f0-
4f31-a362-3451e168d5a5
4. Signing out

9. LinkedIn API
• People
– Profile API
• http://api.linkedin.com/v1/people/~
• http://api.linkedin.com/v1/people/id=abcdefg
• http://api.linkedin.com/v1/people/url=<public-profile-url>
– Connections API
• http://api.linkedin.com/v1/people/~/connections
– People Search API
• Network Updates / Status
– Get Network Updates API
– Post Network Updates
– Commenting on & Reading Comments in Network Updates
– Share API
• Communications
– Messaging Between Connections
– Invitation API

10. Throttle Limits
• Designed to ensure maximum performance for all developers and to protect the user experience
of all users on LinkedIn.
• Three types of throttles applied to all API keys:
– Application throttles: Limit the number of each API call your application can make using its API key.
– User throttles: Limit the number of calls for any individual user of your application.
– Developer throttles: For people listed as developers on their API keys. Approximately four times higher
than the user throttles for most calls.
• Throttled Responses
– 403 HTTP status code with a response body containing an XML document.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error>
<status>403</status>
<timestamp>1264619093714</timestamp>
<error-code>0000</error-code>
<message>Throttle limit for calls to this resource is reached.</message>
</error>