Thursday, November 21, 2013

OAuth2 with LinkedIn

OAuth2 basically allows third party application, to access protected resource of a specific user. You may have seen some web applications/sites allows you to login through your Google, Facebook, LinkedIn etc accounts. As an example just try this with any mentioned account (Google, Facebook, Yahoo etc.). After giving your username password credentials you will be notified the authorities which the third party application will get if you agreed to proceed.

Some important term definitions in OAuth2:
  • Resource Owner - The person/entity which capable of granting the access to a protected resource.
  • Resource Server - The server which contains the protected resources, and capable of deal with access tokens in protected resource requests.
  • Client - The application which requests for protected resources on behalf of resource owner.
  • Authorization Server - The server which authorize resource owner, and issue access tokens to the client

Following figure shows basic flow of OAuth2 authentication process.

If you are really interested in digging more details, OAuth2 RFC will be the best resource. I strongly recommend you to go through at least up to 1.6 section in the RFC.

With this blog post, I show you how third party java application can access protected LinkedIn resources.

1. Register an application on LinkedIn. - This basically helps to create a link between LinkedIn and your application (third party application).

2. Get an access token - The access token represent the credentials to access protected resources. So your application does not need to store resource owner's credentials, but the access token.

3. Make API calls - Yes, after obtaining access token you are free to call API methods with that, until it expires.

LinkedIn official documentation contains detailed description on the above steps. You can follow those and familiar with this matter. Make sure you tried both Authorization code request and Access token request.

Now we need our application to store access token. For this we have to do some coding in the application. We can easily get authorization code with a GET request. Then we need a POST request to get access token using the authorization code and other required parameters.

So, we can get the authorization code from request parameters in the redirect uri, and make server side code request to get the access token. For this we have to use a HTTP client library. You can use Apache HTTP client library components to approach this. For process the responce you can use XML parser like DOM or SAX. Try out the sample application yourself after reaing README file. Happy coding !

Thanks to mkyong for making me comfortable with his SpingMVC example.