Refresh Tokens with OAuth 2.0 - LinkedIn (2024)

Table of Contents
In this article Introduction Step 1: Getting a Refresh Token Step 2: Exchanging a Refresh Token for a New Access Token FAQs
  • Article

LinkedIn supports programmatic refresh tokens for all approved Marketing Developer Platform (MDP) partners.

Introduction

Refresh tokens are used to get a new access token when your current access token expires. For more information, see the OAuth 2.0 RFC.

See Also
Configurable token lifetimes - Microsoft identity platformExpire Shared Access Signature TokensHow can I know when my JWT token will expire?Storage account overview - Azure Storage

LinkedIn offers programmatic refresh tokens that are valid for a fixed length of time. By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.

Refresh Tokens with OAuth 2.0 - LinkedIn (1)

When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.

For example, on:

See Also
Create and manage blob leases with .NET - Azure Storage

  • Day 1 - Your refresh token has a TTL of 365 days, and your access token has a TTL of 60 days.
  • Day 59 - If you generate a new access token using the refresh token, the access token will have a TTL of 60 days and the refresh token will have a TTL of 306 days (365-59=306).
  • Day 360- If you generate a new access token, your access token and refresh token will both expire in 5 days (365-360=5) and you must get your application reauthorized by the member using the authorization flow.

Note

Refresh Tokens are useful in minting new Access tokens and allow for seamless operations for extended periods of time. However, LinkedIn reserves the right to revoke Refresh Tokens or Access Tokens at any time due to technical or policy reasons. In such scenarios, the expectation from products leveraging Refresh Tokens is to fallback to the standard OAuth flow, and present the login screen to the end users.

Step 1: Getting a Refresh Token

Use the Authorization Code Flow to get both a refresh token and access token. If your application is authorized for programmatic refresh tokens, the following fields are returned when you exchange the authorization code for an access token:

  • refresh_token — Your refresh token for the application. This token must be kept secure.
  • refresh_token_expires_in — The number of seconds remaining until the refresh token expires. Refresh tokens usually have a longer lifespan than access tokens.
  • scope — URL-encoded, space-delimited list of member permissions your application has requested on behalf of the user.|

Sample Response

{ "access_token": "AQXNnd2kXITHELmWblJigbHEuoFdfRhOwGA0QNnumBI8XOVSs0HtOHEU-wvaKrkMLfxxaB1O4poRg2svCWWgwhebQhqrETYlLikJJMgRAvH1ostjXd3DP3BtwzCGeTQ7K9vvAqfQK5iG_eyS-q-y8WNt2SnZKZumGaeUw_zKqtgCQavfEVCddKHcHLaLPGVUvjCH_KW0DJIdUMXd90kWqwuw3UKH27ki5raFDPuMyQXLYxkqq4mYU-IUuZRwq1pcrYp1Vv-ltbA_svUxGt_xeWeSxKkmgivY_DlT3jQylL44q36ybGBSbaFn-UU7zzio4EmOzdmm2tlGwG7dDeivdPDsGbj5ig", "expires_in": 86400, "refresh_token": "AQWAft_WjYZKwuWXLC5hQlghgTam-tuT8CvFej9-XxGyqeER_7jTr8HmjiGjqil13i7gMFjyDxh1g7C_G1gyTZmfcD0Bo2oEHofNAkr_76mSk84sppsGbygwW-5oLsb_OH_EXADPIFo0kppznrK55VMIBv_d7SINunt-7DtXCRAv0YnET5KroQOlmAhc1_HwW68EZniFw1YnB2dgDSxCkXnrfHYq7h63w0hjFXmgrdxeeAuOHBHnFFYHOWWjI8sLLenPy_EBrgYIitXsAkLUGvZXlCjAWl-W459feNjHZ0SIsyTVwzAQtl5lmw1ht08z5Du-RiQahQE0sv89eimHVg9VSNOaTvw", "refresh_token_expires_in": 525600, "scope":"r_basicprofile"}

Note

Refresh tokens are approximately 500 characters long. We recommend that your application stack be made to handle tokens of at least 1000 characters to accommodate future expansion plans. This applies to access tokens as well as refresh tokens.

Step 2: Exchanging a Refresh Token for a New Access Token

You can exchange the refresh token for a new access token by making the following HTTP POST request with a Content-Type header of x-www-form-urlencoded and the following parameters in the request body:

https://www.linkedin.com/oauth/v2/accessToken
ParameterDescriptionRequired
grant_typeThe value of this field should always be refresh_token.Yes
refresh_tokenThe refresh token from Step 1.Yes
client_idThe Client ID value generated when you registered your application.Yes
client_secretThe Client Secret value generated when you registered your application.Yes

Sample Request

POST https://www.linkedin.com/oauth/v2/accessTokenContent-Type: application/x-www-form-urlencodedgrant_type=refresh_token&refresh_token=AQQOMeCIQMa6-zjU-02w8EJW67wPVk3hjJE5x1lZhU013LihKD8i1DpvaAl2jnuP8F1uXMgkm8nzjPfnaJR_kQNOxsLRLZWnAMzHMm81S0yQlkBYicw&client_id=861hhm46p48to2&client_secret=gPecS7yqHkyyShvR

A successful request returns a new access token with a new expiration time and the refresh token.

{ "access_token": "BBBB2kXITHELmWblJigbHEuoFdfRhOwGA0QNnumBI8XOVSs0HtOHEU-wvaKrkMLfxxaB1O4poRg2svCWWgwhebQhqrETYlLikJJMgRAvH1ostjXd3DP3BtwzCGeTQ7K9vvAqfQK5iG_eyS-q-y8WNt2SnZKZumGaeUw_zKqtgCQavfEVCddKHcHLaLPGVUvjCH_KW0DJIdUMXd90kWqwuw3UKH27ki5raFDPuMyQXLYxkqq4mYU-IUuZRwq1pcrYp1Vv-ltbA_svUxGt_xeWeSxKkmgivY_DlT3jQylL44q36ybGBSbaFn-UU7zzio4EmOzdmm2tlGwG7dDeivdPDsGbj5ig", "expires_in": 86400, "refresh_token": "AQWAft_WjYZKwuWXLC5hQlghgTam-tuT8CvFej9-XxGyqeER_7jTr8HmjiGjqil13i7gMFjyDxh1g7C_G1gyTZmfcD0Bo2oEHofNAkr_76mSk84sppsGbygwW-5oLsb_OH_EXADPIFo0kppznrK55VMIBv_d7SINunt-7DtXCRAv0YnET5KroQOlmAhc1_HwW68EZniFw1YnB2dgDSxCkXnrfHYq7h63w0hjFXmgrdxeeAuOHBHnFFYHOWWjI8sLenPy_EBrgYIitXsAkLUGvZXlCjAWl-W459feNjHZ0SIsyTVwzAQtl5lmw1ht08z5Du-RiQahQE0sv89eimHVg9VSNOaTvw", "refresh_token_expires_in": 439200, "scope":"r_basicprofile"}

API Error Details

HTTP STATUS CODEERROR MESSAGEERROR DESCRIPTIONRESOLUTION
400invalid_request "The provided authorization grant or refresh token is invalid, expired or revoked"Invalid or expired or revoked refresh token is sent as part of the request.Refresh Token expired or revoked or invalid, hence reauthenticate the member to generate the new refresh token.
400invalid_request "A required parameter "redirect_uri" is missing"Redirect_URI in the request is missing. It is mandatory parameter.Pass the Redirect_URI in the request to route user back to correct landing page.
400invalid_request "A required parameter "grant_type" is missing"Grant type in the request is missing. It is mandatory parameter.Add grant_type as "refresh_token" in the request.
400invalid_request "A required parameter "client_id" is missing"Client ID in the request is missing. It is mandatory parameter.Pass the client id of the app in request.
400invalid_request "A required parameter "refresh_token" is missing"Refresh Token in the request is missing. It is mandatory parameter.Pass the stored Refresh Token received as part of initial access token call.
Refresh Tokens with OAuth 2.0 - LinkedIn (2024)

FAQs

How do I get my OAuth 2.0 refresh token? ›

Use the Authorization Code Flow to get both a refresh token and access token. If your application is authorized for programmatic refresh tokens, the following fields are returned when you exchange the authorization code for an access token: refresh_token — Your refresh token for the application.

Read On
How do I refresh my Linkedin token? ›

Generally, you should check the expiration time of the access token and request a new one before it expires. This is done by sending a POST request to the token endpoint of the authorization server with grant_type=refresh_token, refresh_token=the refresh token, and optionally scope=the scope of the new access token.

Discover More Details
Is currently a limit of 100 refresh tokens per Google account per OAuth 2.0 client ID? ›

There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning. This limit does not apply to service accounts.

Continue Reading
Why is a bad idea to use OAuth 2.0 for authentication? ›

The purpose of OAuth2 Tokens is to authorize requests at a first-party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.

See Details
What is a refresh token in OAuth 2? ›

The refresh token exists to enable authorization servers to use short lifetimes for access tokens without needing to involve the user when the token expires. Related: Refreshing Access Tokens (oauth.com) Refresh Tokens: What they are and when to use them (auth0.com)

Find Out More
Which OAuth grant type can support a refresh token on LinkedIn? ›

The authorization code grant type is used to obtain both access tokens and refresh tokens. The grant type uses the additional authorization endpoint to let the authorization server interact with the resource owner in order to get consent for resource access.

Tell Me More
Where do I find my LinkedIn access token? ›

Generate a Token Manually Using the Developer Portal

The LinkedIn Developer Portal has a token generator for manually creating tokens. Visit the LinkedIn Developer Portal Token Generator or follow the steps outlined in Developer Portal Tools.

Show Me More
Does refresh token expire in OAuth2? ›

When enabled, a refresh token will expire based on an absolute lifetime, after which the token can no longer be used. If rotation is enabled, an expiration lifetime must be set.

Explore More
What is the difference between auth token and refresh token? ›

The access token is used to authenticate API requests to access protected resources, while the refresh token is used to obtain new access tokens once the current ones expire.

Continue Reading
How many times can a refresh token be used? ›

It depends... by default, each time you refresh token, it returns new access token and new refresh token. If you're talking about old refresh token, it only available one time. But from client side, there is no limitation, you can always refresh as soon as the refresh token is not expired.

Show Me More

How many refresh tokens per user? ›

Limitations. Auth0 limits the amount of active refresh tokens to 200 tokens per user per application.

Read The Full Story
What is an example of OAuth 2.0 authentication? ›

OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is called the implicit grant flow.

See Details
Do I really need OAuth2? ›

In conclusion, whether to use OAuth2 and OpenID Connect depends on the use case. If your project involves enabling third-party applications to access user data, machine-to-machine authorization, or a large variety of client applications on IoT devices, then you'll likely need OAuth2 and OpenID Connect.

Get More Info Here
Can OAuth2 be hacked? ›

If the OAuth service fails to validate this URI properly, an attacker may be able to construct a CSRF-like attack, tricking the victim's browser into initiating an OAuth flow that will send the code or token to an attacker-controlled redirect_uri .

Continue Reading
How do I get my refresh token from connected app? ›

When you click Get New Access Token, a pop-up will open for you to enter Anypoint credentials.
  1. After entering credentials, Click on the Grant access to button.
  2. After it redirects to the Postman, you can see now Access token, along with refresh_token.
Nov 22, 2022

View More
How to get OAuth access token? ›

Steps to Generate OAuth Token
  1. Step 1: Registering a Client.
  2. Step 2: Making the Authorization Request.
  3. Step 3: Generating Tokens.
  4. Step 4: Refreshing your Access Tokens.

View Details
How are refresh tokens generated? ›

The Role of Refresh Tokens in the Authorization Process

Usually, during the first stage of the authorization process, the system generates a token after a successful login. Then the system returns the new refresh token along with the access token, and it remains valid for a longer duration than the access token.

See More
How to get access token from authorization code? ›

The following section describes the steps for obtaining the access token and refresh token using the authorization code grant mechanism:
  1. Step 1: Authenticate a User and Create a User Session.
  2. Step 2: [Optional] Generating Client Credentials.
  3. Step 3: Generate Authorization Code.
  4. Step 4: Exchange Auth Code for a Token.

Learn More
Top Articles
How To Have A Successful Fundraising Gala Without Planning an Auction — Sarah Knox Auctioneer for Fundraising Benefit & Charity Events
50 Ways to Make Extra Money This Month
5 Ways to Love Your Dog with Paracord
Paracord Strength, Sizes, and Types
Latest Posts
Global Fintech Lending Market Size & Share | Industry Report, 2030
Sunday Real Estate Funny
Article information

Author: Zonia Mosciski DO

Last Updated:

Views: 5674

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.