Un semplice progetto sviluppato nell'ambito del corso di Sicurezza delle Architetture Orientate ai Servizi, dove mostro il funzionamento del protocollo OAuth 2.0 con il social network LinkedIn
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
Un semplice progetto sviluppato nell'ambito del corso di Sicurezza delle Architetture Orientate ai Servizi, dove mostro il funzionamento del protocollo OAuth 2.0 con il social network LinkedIn
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
OAuth has become standard practice for large social media APIs and it's becoming common across enterprise APIs. OAuth is good for your customers' security and experience making is critical if you want adoption on your API.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
OAuth has become standard practice for large social media APIs and it's becoming common across enterprise APIs. OAuth is good for your customers' security and experience making is critical if you want adoption on your API.
Practical Core Bluetooth in IoT & Wearable projects @ AltConf 2016Shuichi Tsutsumi
n recent years, "IoT" or "Wearable" are one of buzzwords, so you might have interests in building hardware products. But learning how to develop electric circuits, mechanical systems or embedded systems etc. from zero is so difficult.
However, iOS developers can contribute to projects of hardware products with the knowledge of Core Bluetooth / Bluetooth Low Energy (BLE), even if they are not familiar with hardware layer.
In this session, you can learn the basics of Core Bluetooth / BLE (what it is, why we use it, and how it works), and practical knowledges to build apps for hardware products (how to design the apps, how to test without actual hardware prototypes, troubleshooting tips, and how the apps can be reviewed by Apple) which I learned through actual IoT/Wearable projects.
This would be interesting & understandable even if you are not familiar with or have no interests in Core Bluetooth because of the actual examples.
Overview of the new frontend architecture used for the New Profile at LinkedIn.
Blog version of this slidedeck: https://engineering.linkedin.com/profile/engineering-new-linkedin-profile
Design First API's with RAML and SoapUIDaniel Feist
Daniel Feist, Architect @ Mulesoft
Matti Hjelm, SoapUI Product Manager @ SmartBear
In this workshop we'll develop a real-world API together using RAML to define the interface and SoapUI to simulate and test the interface and API consumer experience before even thinking about the implementation. In doing this we'll cover the powerful design-first features of RAML as well as the tooling available to facilite this approach. We’ll also cover the mocking and prototyping features of SoapUI. Finally we'll implement, deploy and test our new API in a production environment.
Prepared for API Meetup Tokyo #13 https://api-meetup.doorkeeper.jp/events/41135
昨今、APIアクセス認可のフレームワークとして "OAuth" 仕様を使うケースが一般的になっています。本セッションでは OAuth 適用のトレンドと今後について紹介します。
Importing Data into Neo4j quickly and easily - StackOverflowNeo4j
In this GraphConnect presentation Mark and Michael show several ways to import large amounts of highly connected data from different formats into Neo4j. Both Cypher's LOAD CSV as well as the bulk importer is demonstrated along with many tips.
We use the well know StackOverflow Q&A site data which is interestingly very graphy.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
Presentation describes different authentication ways to protect web application. It shows difference between custom approach and authentication with OAuth1 and OAuth2.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
4. OAuth is an open authorization standard for
APIs that does away with logins and passwords
to grant authorization to a third-party.
Some familiarity with OAuth is assumed, going
forward.
http://oauth.net/core/1.0a
5. Will any old OAuth library work with LinkedIn?
LinkedIn uses OAuth 1.0a and requires
HTTP Header-based Authorization.
Some OAuth libraries don’t yet support
OAuth 1.0a, or are built with lenient
OAuth implementations in mind.
LinkedIn’s OAuth is strict.Your library
might not be up to snuff.
7. Quick Glossary That Won’t Be So Quick
Because This Stuff Actually Takes Time to Learn
oauth_callback - This is either a URL or “oob” and denotes where to direct a user on your server following the “authorize”
step.
out of band - A form of OAuth where no URL callback is used and an oauth_verifier challenge is presented instead
requestToken - a token issued to you as a result of asking for it. Re-used in the authorize step
accessToken - a token issued to you at the end of the cycle. Represents a LinkedIn member and authorizes you to access
resources on their behalf
authorize - After getting a request token, you send the user to a signed authorize URL where they grant access to your
application
token secret - a string returned on the requestToken and accessToken steps, used in conjunction with your consumer secret
when signing certain requests.
consumer key - Your API key.
consumer secret - Your API secret. Used in the signing of all requests.
oauth_nonce - A random string, unique in every request.
oauth_timestamp - Epoch time in seconds, synced within 5 minutes of LinkedIn’s clock
oauth_token - Specified in many contexts, either the request token or access token.
oauth_verifier - A returned to you when your oauth_callback is invoked, or hand-entered by a user in the out-of-band flow.
8. All OAuth-based requests are very similar.You’re identifying a
resource that you want to make a request to, you’re building a
string that describes the request and your credentials for making
it, and then you’re signing that string using a set of secrets.
It’s like addressing an envelope where the address and stamp not
only describe the destination but also the contents.
The OAuth 1.0a Request Cycle
9. 1) You ask for a request token and specify your callback
2) You direct the user to our authorization screen
3) You either receive a callback at a URL you specified, or the
member enters a PIN code (out-of-band authentication)
4) You ask for an access token
5) You make API calls!
The OAuth 1.0a Request Cycle
10. Building a requestToken request requires the following:
HTTP Method, Request URI, oauth_callback, oauth_consumer_key,
oauth_nonce, oauth_signature_method, oauth_timestamp, and
oauth_version.
Getting a Request Token
11. First build your string to sign.
We’ll use these values for this example.
HTTP Method POST
Request URI https://api.linkedin.com/uas/oauth/requestToken
oauth_callback http://linkedin.realitytechnicians.com:3000/oauth_consumers/taylor_singletary/callback
oauth_consumer_key dTgSkaRKZjEnS1vAUu6e7-aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV
oauth_nonce 24FZIeB9tNGlnV9p7nnP1yelQbTNFjU7R5qs8u0tk
oauth_signature_method HMAC-SHA1
oauth_timestamp 1260811626
oauth_version 1.0
Getting a Request Token
12. First build your string to sign.
These parameters get sorted alphabetically, each value is URL escaped, and than
concatenated into a single string.
POST&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth
%2FrequestToken&oauth_callback%3Dhttp%253A%252F
%252Flinkedin.realitytechnicians.com
%253A3000%252Foauth_consumers
%252Ftaylor_singletary%252Fcallback
%26oauth_consumer_key%3DdTgSkaRKZjEnS1vAUu6e7-
aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV
%26oauth_nonce
%3D24FZIeB9tNGlnV9p7nnP1yelQbTNFjU7R5qs8u0tk
%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp
%3D1260811626%26oauth_version%3D1.0
Getting a Request Token
13. Create your Authorization HTTP Header & Issue the Request
Now we sign this string using our consumer secret and create an HTTP Authorization header,.
The signature should be placed in the oauth_signature value.
Authorization: OAuth
oauth_nonce="24FZIeB9tNGlnV9p7nnP1yelQbTNFjU7R5qs
8u0tk", oauth_callback="http%3A%2F
%2Flinkedin.realitytechnicians.com
%3A3000%2Foauth_consumers%2Ftaylor_singletary
%2Fcallback", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1260811626",
oauth_consumer_key="dTgSkaRKZjEnS1vAUu6e7-
aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV",
oauth_signature="Ws%2B%2FH%2FonYnsZXyZwyEhgL
%2Bboq8s%3D", oauth_version="1.0"
Getting a Request Token
14. Evaluate the requestToken response
Now we issue this request to the requestToken endpoint, and if all is successful, you’ll get
something like the following URL encoded response:
oauth_token=f7868c3a-7336-4662-
a6d1-3219fb4650d1&oauth_token_secret=45e0ccd0-0c5
d-431e-831a-63f10552338a&oauth_callback_confirmed
=true
The oauth_token field is now your request token, and the oauth_token_secret will be used for
signing your request for an access token. oauth_callback_confirmed just gives you confirmation
that we recognized your oauth_callback parameter.
You’ll want to “hold on” to the oauth_token and oauth_token_secret until you’ve completed
the access token step.
Getting a Request Token
15.
16. Build your authorization URL
Now that we have a request token, we can build the URL to authorize the user. We’ll then
redirect the user to this URL so they can grant your application access.
An authorization URL is simply this end point: https://api.linkedin.com/uas/oauth/authorize with
a query parameter tacked on called oauth_token. The value for this parameter is equal to the
request token you received in the previous step.
With this same example, you’d direct the user to this URL:
https://api.linkedin.com/uas/oauth/authorize?
oauth_token=f7868c3a-7336-4662-a6d1-3219fb4650d1
The user needs to land on this page within 5 minutes of your request token cycle. You should
not pass an oauth_callback parameter to this page (you already did that in the request token
step).
Authorizing the member
17. Send the user to LinkedIn’s Authorization Page
The user will then be sent to our authorization page. When completed the user will either be
sent back to your oauth_callback URL or presented with a series of digits they’ll be instructed
to hand-enter into your application (if you are performing out-of-band authentication).
Authorizing the member
18. OAuth Callback vs. Out of Band
After authorizing your application, the After authorizing your application, the
user will be sent to the URL you specified member is presented with a PIN code.
as the oauth_callback.
Your callback will receive In your application, you
an oauth_token and should now present a UI
oauth_token_secret; these allowing the user to
are the same as your hand-enter the PIN
request tokens. code.
You’ll also receive an After receiving the PIN
oauth_verifier parameter, code, you’ll be using it
which you will need to for the accessToken step
attach as part of your as the oauth_verifier.
accessToken request in the
next step.
20. Prepare your signing secret
Regardless of whether you used out-of-band authentication or not, you’ll now be equipped with
a request token, an oauth_token_secret, and an oauth_verifier. You’re now going to exchange
that request token for an access token, imbued with the permission of the LinkedIn member to
act on their behalf.
In LinkedIn’s strict OAuth implementation, a request for an access token must be signed using
both your consumer secret and the oauth_token_secret you received as when retrieving your
request token. Many existing OAuth libraries do not properly incorporate the
oauth_token_secret in this step.
Your signing key will be in the format of:
url_escape(consumer_secret)&url_escape(oauth_token_secret)
Getting an Access Token
21. Now build your string to sign.
We’ll use these values for this example. Your oauth_token is your requestToken.
HTTP Method POST
Request URI https://api.linkedin.com/uas/oauth/accessToken
oauth_consumer_key dTgSkaRKZjEnS1vAUu6e7-aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV
oauth_nonce WqKwyyrjQLgpaeJIB6MWKKmDOIpxKBrz0lLabSO3UI
oauth_signature_method HMAC-SHA1
oauth_timestamp 1260811635
oauth_token f7868c3a-7336-4662-a6d1-3219fb4650d1
oauth_verifier 75553
oauth_version 1.0
Getting an Access Token
22. Now build your string to sign.
These parameters get sorted alphabetically, each value is URL escaped, and than
concatenated into a single string.
POST&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth
%2FaccessToken&oauth_consumer_key
%3DdTgSkaRKZjEnS1vAUu6e7-aYC00UilBTwnXHpLH7NyL2e-
klzBC1a4TKCnSgClWV%26oauth_nonce
%3DWqKwyyrjQLgpaeJIB6MWKKmDOIpxKBrz0lLabSO3UI
%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1260811635%26oauth_token
%3Df7868c3a-7336-4662-
a6d1-3219fb4650d1%26oauth_verifier
%3D75553%26oauth_version%3D1.0
Getting an Access Token
23. Create your Authorization HTTP Header & Issue the Request
Now we sign this string using the secret we constructed from our consumer secret and
oauth_token_secret, then create an HTTP Authorization header, including the signature as the
oauth_signature value, and oauth_nonce, oauth_callback, oauth_signature_method,
oauth_timestamp, oauth_consumer_key, oauth_token, oauth_verifier, and oauth_version.
Authorization: OAuth
oauth_nonce="WqKwyyrjQLgpaeJIB6MWKKmDOIpxKBrz0lLabSO3
UI", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1260811635",
oauth_consumer_key="dTgSkaRKZjEnS1vAUu6e7-
aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV",
oauth_token="f7868c3a-7336-4662-a6d1-3219fb4650d1",
oauth_verifier="75553",
oauth_signature="gp3C1jCOgRyN106UIe0FLTzOmu8%3D",
oauth_version="1.0"
Getting an Access Token
24. Evaluate the accessToken response
Now we issue this request to the accessToken endpoint, and if all is successful, you’ll get
something like the following URL encoded response:
oauth_token=fb74aed1-
eb7d-4f3f-855c-137000243df8&oauth_token_secret=4e7f56
2d-04b1-4488-8162-95a2454ae9a8
The oauth_token field is now your access token, and the oauth_token_secret will be used for
signing all requests on behalf of the member.
You’ll want to “hold on” to the oauth_token and oauth_token_secret for as long as you want to
act on the member’s behalf.
A LinkedIn member may specify that an access token is valid only for a certain period of time
(or forever), but can revoke access on LinkedIn.com at any time.
Getting an Access Token
25. You’ve acquired an access token!
But don’t hang up your dancing shoes yet.
27. Making API resource requests is very similar to other operations. You’ll need your access
token, oauth_token_secret, and your API keys to continue.
We’re going to ask for our own profile from LinkedIn’s people resource. In LinkedIn resource
URLs, the tilde (“~”) character represents the member associated with your access token.
LinkedIn’s API works best when you explicitly tell it what you are looking for, so we’re asking for
the member’s id, first name, last name, and their headline only.
The resource URL for this request would be:
When URL encoding this resource in the following OAuth signing steps, you’ll want to ensure
that the tilde character does not become escaped. The field selectors are not query
parameters, but part of the path of the URI itself.
Requesting your own profile
28. Start by building your string to sign.
We’ll use these values for this example. Your oauth_token is your access token.
HTTP Method GET
Request URI https://api.linkedin.com/v1/people/~:(id,first-name,last-name,headline)
oauth_consumer_key dTgSkaRKZjEnS1vAUu6e7-aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV
oauth_nonce Tv4o9eX4Dmui9uW5otBVweTI28O0YmIWPnRhu0XhmY
oauth_signature_method HMAC-SHA1
oauth_timestamp 1260915816
oauth_token fb74aed1-eb7d-4f3f-855c-137000243df8
oauth_version 1.0
Requesting your own profile
29. Start by building your signature base string.
These parameters get sorted alphabetically, each value is URL escaped, and than
concatenated into a single string.
GET&https%3A%2F%2Fapi.linkedin.com%2Fv1%2Fpeople%2F~
%3A%28id%2Cfirst-name%2Clast-name%2Cheadline
%29&oauth_consumer_key%3DdTgSkaRKZjEnS1vAUu6e7-
aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV
%26oauth_nonce
%3DTv4o9eX4Dmui9uW5otBVweTI28O0YmIWPnRhu0XhmY
%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1260915816%26oauth_token
%3Dfb74aed1-
eb7d-4f3f-855c-137000243df8%26oauth_version%3D1.0
Requesting your own profile
30. Create your Authorization HTTP Header & Issue the Request
Now we sign this string using our consumer secret in conjunction with your access token’s
oauth_token_secret (just like in our previous steps) and create an HTTP Authorization header,.
The signature should be included as the oauth_signature value.
Authorization: OAuth
oauth_nonce="Tv4o9eX4Dmui9uW5otBVweTI28O0YmIWPnRhu0Xh
mY", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1260915816",
oauth_consumer_key="dTgSkaRKZjEnS1vAUu6e7-
aYC00UilBTwnXHpLH7NyL2e-klzBC1a4TKCnSgClWV",
oauth_token="fb74aed1-eb7d-4f3f-855c-137000243df8",
oauth_signature="4imDw81fRdCI%2FBBoo0vwix5giVo%3D",
oauth_version="1.0"
Requesting your own profile
31. Evaluate the XML response
Now we issue this request to the people resource, and if all is successful, you’ll get something
like the following XML response, with your own profile values in place of my own.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<person>
<id>esIpa2xh0v</id>
<first-name>Taylor</first-name>
<last-name>Singletary</last-name>
<headline>Technical Evangelist at LinkedIn</headline>
</person>
If the access token is invalid, or your signature was not properly calculated, you will receive a
401 Unauthorized error. There is always interesting debugging information in the XML body of
a failed request and the HTTP headers we return to you. Maybe your timestamp was off by a
few minutes? Maybe your signature was invalid? Maybe the access token is no longer valid?
Requesting your own profile
33. OAuth is complicated, and there are a number of things that go wrong.
Here are some tips.
Every error response we send you will contain an XML body describing the error, including a
timestamp representing API server time. Some OAuth-based requests will also return an
oauth_problem HTTP header.
Make sure that your server’s system clock is in sync with ours.
oauth_callback should only be provided on the requestToken step.
oauth_verifier is required in the accessToken step.
PUT & POST operations typically have XML Content-Types. Your OAuth library should
exclude the request body in signature calculations as a result.
For the access token step, remember that the request token’s oauth_token_secret must be
used as part of your signing key.
Likewise, for API resource requests, your access token’s oauth_token_secret must be used as
part of your signing key.
At this time, LinkedIn only supports HTTP header-based OAuth. Make sure that you are
passing your OAuth credentials as an Authorization HTTP header, not as query parameters
attached to the request.
Troubleshooting
34. Working with LinkedIn’s OAuth
OAuth Authentication
Common Issues with OAuth Authentication
General OAuth
OAuth 1.0a Spec
Beginner’s Guide to OAuth
Client Libraries
& Community Code
Ruby
PHP
Java
.NET
Further Reading
35. I hope you had the time of your life mastering the OAuth dance.
Thanks to all the great people in the LinkedIn Developer Community!