DOCS  vx.y

Support

LinkedIn authentication

Setup

Web apps

For web apps using LinkedIn, we have to use the “Authorization Code” grant flow (or the traditional web server flow) as LinkedIn doesn’t support the implicit grant flow. So this flow needs a backend server to handle intermediate requests.

Overview

First, you have setup and configure your LinkedIn application. Then, you have to make a request to LinkedIn API for an “authorization code”, specifying a “Redirect URI” (which is basically a URL to your application). LinkedIn would respond to this “Redirect URI” with the “authorization code”. Your backend application has to parse the authorization code and make one more request to LinkedIn API. This final API call will return an access token in the response. Your application should now validate the access token by passing to a Hasura Auth endpoint. Hasura will validate the token, and will login the user (if the user is seen for the first time then Hasura will also create the user).

Pre-requisites

• Register an application with LinkedIn, obtain the Client ID and Client secret.
  • Go to https://www.linkedin.com/developer/apps and on top right and click on “Create Application” to create a new application. Fill the following form that appears to create your application.
  • Now you should see your application’s settings page, which also lists the client ID and secret. Copy and keep them safe.
• Next, in the same settings page, you have to add “Authorized Redirect URLs”. This is where you will put your application’s endpoint/URL which will receive the authorization code.
• Under “Default Application Permissions”, check the “r_basicprofile” and “r_emailaddress” checkboxes, so that your application can read the basic profile and the email address of the user. This is important. If you fail to do this, Hasura Auth won’t be able to fetch your user’s email address.

Configuration

• Now you need to configure Hasura Auth microservice with these credentials.
• To configure, go to conf/auth.yaml file inside your Hasura project.
• Under linkedin, set the clientId

Note

The linkedin key might be commented out. Make sure to uncomment it.

linkedin:
  clientId: "String"
  clientSecret:
    secretKeyRef:
      key: auth.linkedin.client_secret
      name: hasura-secrets

• clientId: The client ID obtained when creating the application.

• clientSecret: The client secret obtained when creating the application. As you see in the above code snippet, client secret is a reference to a hasura project secret called auth.linkedin.client_secret. To add your client secret to hasura project secrets, run the following command from your project directory.

  $ hasura secret update auth.linkedin.client_secret
  

The flow

• Redirect the browser (full page or popup) to https://www.linkedin.com/oauth/v2/authorization with the following set of query parameters. Please note that you have to make the browser redirect to this URL and not make AJAX calls. The following parameters are mandatory:

  • response_type : This should always be code.
  • client_id : The client ID you obtain from your LinkedIn application settings.
  • scope : Permissions that your application needs. Set this to r_emailaddress.
  • redirect_uri : The redirect_uri value you have already setup (from Step 2 in pre-requisites).
  • state: A unique string value of your choice that is hard to guess. Used to prevent CSRF.

  For example:

  https://www.linkedin.com/oauth/v2/authorization?
    scope=r_emailaddress&
    redirect_uri=https%3A%2F%2Foauth2.example.com%2Foauthcallback&
    response_type=code&
    client_id=812741506391&
    state=DgkRrHXmyu3KLd0KDdfq
  

  The documentation (in details) for this can be found here: https://developer.linkedin.com/docs/oauth2

• LinkedIn will handle the authentication, and if the user has granted permission for your app, it will redirect back to the “Redirect URI” with the authorization code as code in the URL query string.

• Now your application has to parse the URL and retrieve the authorization code.

• Once the code is obtained, send the code to Hasura Auth microservice:

POST auth.<cluster-name>.hasura-app.io/v1/login HTTP/1.1
Content-Type: application/json

{
  "provider" : "linkedin",
  "data" : {
     "code": "String",
     "redirect_uri": "String",
  }
}

• If successful, this will return a response as follows:

  HTTP/1.1 200 OK
  Content-Type: application/json
  
  {
    "auth_token": "b4b345f980ai4acua671ac7r1c37f285f8f62e29f5090306",
    "hasura_id": 79,
    "new_user": true,
    "hasura_roles": [
        "user"
    ]
  }
  

• If the user is a new user, new_user will be true, else false.

• To check if the current user is logged in, make a call to: /v1/user/info.

• To logout, make a call to /v1/user/logout.

• To get Hasura credentials of current logged in user, /v1/user/info.

« previous | next »

Was this page helpful?

Submit

Thank you for your feedback!

Want to contribute or report missing content? Check out the github repo for docs.
Powered by Sphinx. Copyright © 2019 Hasura.