LinkedIn offers a robust platform for developers to integrate their applications with LinkedIn user accounts and data through the LinkedIn API. To enable this integration, LinkedIn uses the OAuth 2.0 protocol which allows users to grant limited access to their LinkedIn accounts to third-party applications without exposing their login credentials.
A key component of securing an OAuth integration is registering redirect URLs for your application in the LinkedIn developer portal. The redirect URL is the endpoint in your application that users will be redirected back to after they authorize your app to access their LinkedIn data. LinkedIn will only send authorization codes back to registered redirect URLs as a security measure.
Why Do You Need to Register Redirect URLs?
There are a few important reasons why LinkedIn requires registering redirect URLs for apps:
- Security – By registering URLs, LinkedIn can verify that the site asking for authorization is the actual application that has been reviewed and approved in the LinkedIn developer portal. This prevents unauthorized sites from accessing user data.
- User Experience – Redirecting users back to a registered URL they recognize ensures a seamless authorization experience.
- Compliance – Many OAuth authorization servers require pre-registered redirect URLs to comply with security standards and best practices.
Overall, registered redirect URLs are a key step in securely implementing OAuth and ensuring users only authorize trusted applications to access their LinkedIn accounts.
Where to Register Redirect URLs
To register redirect URLs for your LinkedIn application, you must set them up in the LinkedIn developer portal when you create your app:
- Go to LinkedIn Developer Portal and log in with your LinkedIn account.
- Click on “My Apps” in the top menu bar and then click the “Create Application” button.
- Fill out your application details including name, logo, description, etc.
- Under “Authentication”, locate the “Authorized Redirect URLs” section.
- Enter each redirect URL on a new line. These must include the http or https protocol and domain name.
- Finish completing the remaining sections and click “Submit” to create your app.
You can go back and edit or add new redirect URLs later under the “Authentication” settings for your app.
Redirect URL Format
The redirect URLs you register must meet the following criteria:
- Must use http or https protocol
- Cannot contain URL fragments or query parameters
- Cannot use ports besides 80 for http or 443 for https
- Must match URLs that are valid for your application
- Should use your actual domain name, not “localhost” URLs
Here are some example correctly formatted redirect URLs:
- https://www.myapp.com/auth/linkedin/callback
- http://myapp.com/linkedin/auth
- https://myapp.com/oauth2/redirect
How Many Redirect URLs Can You Register?
LinkedIn allows developers to register up to 10 redirect URLs per application. Each URL must be unique across the application.
If you need to register more than 10 redirect URLs, you can contact LinkedIn developer support to request additional URLs be enabled for your app. However, having a large number of redirects can increase complexity so it’s best to try consolidating them if possible.
When Are the Redirect URLs Used?
The registered redirect URLs come into play during the OAuth authorization sequence:
- Your application initiates an authorization request to LinkedIn’s API with your client ID.
- LinkedIn authenticates the request and prompts the user to authorize access.
- If the user authorizes the request, LinkedIn redirects back to your application with an authorization code.
- Your application receives the redirect request and authorization code at the registered redirect URL.
- Your app exchanges the authorization code for an access token to LinkedIn’s APIs.
So in summary, LinkedIn relies on the redirect URL to securely send back the authorization code that enables your app to access the user’s data.
Tips for Setting Redirect URLs
Here are some tips to follow when setting your application’s redirect URLs:
- Use your real production domain for redirects rather than “localhost”.
- Try to avoid using common URLs like “/” or “callback” as the full path.
- If developing locally, register local URLs but update them before launch.
- Consider security – place redirects within your app rather than the domain root.
- Use URL naming conventions consistent with your framework like /oauth/linkedin.
- Document your registered redirects to streamline troubleshooting.
Updating or Removing Redirect URLs
Over the lifetime of your application you may need to update or remove redirect URLs as your setup changes. Here is how you can manage this:
Updating Redirect URLs
- Go to your app configuration under “My Apps” in the LinkedIn developer portal.
- Navigate to the “Authentication” section.
- Edit the existing redirect URLs or add new ones and click “Add”.
- Changes should apply immediately after saving.
Removing Redirect URLs
- Go to your app configuration under “My Apps” in the LinkedIn developer portal.
- Navigate to the “Authentication” section.
- Find the redirect URL you want to remove and click the “X” next to it.
- Changes should apply immediately after saving.
Handling Errors Related to Redirect URLs
If you encounter errors related to redirect URLs, here are some things to check:
- Verify the URL generating the error is registered properly in your LinkedIn app configuration.
- Check for typos or incorrect URLs in your registration.
- Ensure your app is using https for redirect URLs.
- Try clearing cookies and restarting the OAuth flow.
- Test on different environments in case an issue is environment specific.
- If the problem persists, contact LinkedIn developer support.
Conclusion
Registering valid redirect URLs is a critical part of integrating your application with LinkedIn via OAuth. The redirects enable secure transmission of access tokens back to your app for accessing LinkedIn APIs. Carefully configure your redirects during app registration and keep them updated as your setup evolves. Following LinkedIn’s redirect URL requirements and best practices will ensure a smooth authorization experience for your users.