LinkedIn error: "The token used in the request is expired"

[maccman]

I'm getting the following error when I'm using this gem.

OAuth2::Error at /auth/linkedin/callback : { "errorCode": 0, "message": "The token used in the request is expired.", "requestId": "5LVAAP7YZ2", "status": 401, "timestamp": 1392084765723 } file: client.rb location: request line: 110

So it actually looks like a problem with LinkedIn. I was seeing it intermittently, so I surmised it was a timing issue. Low and behold if I put a 10 second sleep in there it works every time.

  def raw_info
    @raw_info ||= begin
      sleep 10
      access_token.get("/v1/people/~:(#{options.fields.join(',')})?format=json").parsed
    end
  end

I'm wondering if anyone else has seen this behavior?

[fmendez]

There's a thread here: http://developer.linkedin.com/forum/unauthorized-invalid-or-expired-token-immediately-after-receiving-oauth2-token with a lengthy discussion and several possible workarounds.

[kamloops]

Hi Folks,

Kamyar here with LinkedIn. This should be resolved in production. Please verify everything works on your end. Apologize for the regression, but we are working hard to ensure this doesn't happen again.

Regards, Kamyar

On Tue, Feb 25, 2014 at 4:07 AM, Fernando Mendez notifications@github.comwrote:

There's a thread here: http://developer.linkedin.com/forum/unauthorized-invalid-or-expired-token-immediately-after-receiving-oauth2-tokenwith a lengthy discussion and several possible workarounds.

Reply to this email directly or view it on GitHubhttps://github.com/decioferreira/omniauth-linkedin-oauth2/issues/17#issuecomment-36001000 .

[vovka667]

It doesn't work now. Without "sleep 5" I get 401 error with "message": "Then token used in this request has been revoked by the user.".

[carloscambon]

I am getting the same 401 error when trying to retrieve the user info with the correct token. And works every time if I put 5 seconds sleep. Is there any workaround to this?

[kfitzsimons]

Any update? Surprised this is still an issue but seeing the same error.

[elahmo]

Same error here, it popped up in the past weeks. Before that, things were working correctly.

[Ahamathullah]

I am getting the same 401 error when trying to retrieve the user info with the correct token using Oauth2.0. The response is like

{ "errorCode": 0, "message": "Then token used in this request has been revoked by the user.", "requestId": "KP9N0EXW9W", "status": 401, "timestamp": 1536553487159 } Can anyone help to solve this to get user information like email and name of the user.

[elahmo]

@Ahamathullah I have resolved an issue by adding a delay after calling a request when obtaining the token. Go with 5-6 seconds. LinkedIn doesnt seem to activate the token that it gives immediately, so waiting a bit helps.

[edmundadjei]

I'm still getting this error too

April 23rd 2020, 11:35:33.736   message:[Thu Apr 23 11:35:33 2020] c187bb8eff27ee9084ce3b89daf07dde LinkedIn profile error: The token used in the request has expired 

I know the token has not expired because I have just literally refreshed it.

[saraiyakush]

I am facing this problem as well. Even the introspect api call POST https://www.linkedin.com/oauth/v2/introspectToken returns revoked or expired at times, when the token is created literally a second ago.

Adding delay won't work for me because it does not go well with the user experience. Imagine keeping the user waiting for 5 seconds after they have authorized the app to access LinkedIn.

This needs to be solved!

[joeEulerity]

I'm also facing this problem.

I'm generating access tokens from a refresh token. If I use the access token immediately, but if I wait a few minutes, it miraculously works.

This means that any integration tests I run that generate an access token for immediate use ALWAYS fail

-- update. I didn't realize where I was posting this. My comment really belong on some LinkedIn developer page, not here. I will leave it here anyway though so that others realize this is a LinkedIn problem, and not an issue with this repo

[tfrancois]

+1

I can also confirm that this an issue as I am seeing the EXACT same thing as the last two posters. Glad to know though that it's not something I'm doing wrong in my code (finally). This definitely needs to be fixed. I'm hoping someone from the dev team is monitoring this issue/post.

EDIT: What I would like to report however, is for whatever reason, the token that is reported as revoked from the API call to introspect token stills works fine if I skip the check! Not good. Defeats the purpose of relying on the information about a token revocation if its not reporting the correct state in either direction. PLEASE FIX THIS.

[georgek1991]

I am facing this issue. Has anyone solved this?

[joeEulerity]

It's been 7 years since a Linkedin dev replied on this thread. I wouldn't get my hopes up that this has been or ever will be resolved.

[avinasha]

As of this comment, this issue still persists. The following stackoverflow answers suggested to include all the params sent to https://www.linkedin.com/oauth/v2/accessToken to get the access token to be sent as query params and not part of the body!

https://stackoverflow.com/questions/25488172/linkedin-api-the-token-used-in-the-oauth-request-has-been-revoked https://stackoverflow.com/questions/66830621/linkedin-api-the-token-used-in-the-request-has-been-revoked-by-the-user

This works! To achieve this using this gem, monkey patch the client options for the oauth2 client to include token_method set to post_with_query_string. This ensure the params are in the query string rather than the body of the POST request.

module OmniAuth
  module Strategies
    class LinkedIn
      option :client_options, {
        :site => 'https://api.linkedin.com',
        :authorize_url => 'https://www.linkedin.com/oauth/v2/authorization?response_type=code',
        :token_url => 'https://www.linkedin.com/oauth/v2/accessToken',
        :token_method => :post_with_query_string
      }
    end
  end
end

[mikemike396]

As of this comment, this issue still persists. The following stackoverflow answers suggested to include all the params sent to https://www.linkedin.com/oauth/v2/accessToken to get the access token to be sent as query params and not part of the body!

https://stackoverflow.com/questions/25488172/linkedin-api-the-token-used-in-the-oauth-request-has-been-revoked https://stackoverflow.com/questions/66830621/linkedin-api-the-token-used-in-the-request-has-been-revoked-by-the-user

This works! To achieve this using this gem, monkey patch the client options for the oauth2 client to include token_method set to post_with_query_string. This ensure the params are in the query string rather than the body of the POST request.

module OmniAuth
  module Strategies
    class LinkedIn
      option :client_options, {
        :site => 'https://api.linkedin.com',
        :authorize_url => 'https://www.linkedin.com/oauth/v2/authorization?response_type=code',
        :token_url => 'https://www.linkedin.com/oauth/v2/accessToken',
        :token_method => :post_with_query_string
      }
    end
  end
end

I tried this out in C# using RestSharp .AddQueryParameter via a POST and it didn't change anything. Still getting the 401 if I don't delay for 5-8 seconds.

[joeEulerity]

Our solution is to call introspect token in a loop with a delay of 250ms until we get TEN!!!! 10 responses saying the token is valid. This is the only method that appears to work consistently

[lucca-oliveira]

@joeEulerity Hey! Can you show an example of how you implemented that? I'm having the same issue for a couple of weeks and nothing i tried could solve the problem.

[joeEulerity]

@lucca-oliveira I don't actually use this github project, so I can't provide a code sample. I only found this while searching for solutions to the LinkedIn API issue I was having. But essentially it would look something like this language agnostic pseudocode

token = generateToken(params) validTokenCount = 0 while (validTokenCount < 10) { if (isTokenValid(token)) { validTokenCount++; } else { validTokenCount = 0; sleep(250) } }

[lucca-oliveira]

@joeEulerity Thanks buddy!

[frunkad]

Following this. It's been 10 years! 🤔🥲

[busbyjon]

As of this comment, this issue still persists. The following stackoverflow answers suggested to include all the params sent to https://www.linkedin.com/oauth/v2/accessToken to get the access token to be sent as query params and not part of the body!

https://stackoverflow.com/questions/25488172/linkedin-api-the-token-used-in-the-oauth-request-has-been-revoked https://stackoverflow.com/questions/66830621/linkedin-api-the-token-used-in-the-request-has-been-revoked-by-the-user

This works! To achieve this using this gem, monkey patch the client options for the oauth2 client to include token_method set to post_with_query_string. This ensure the params are in the query string rather than the body of the POST request.

module OmniAuth
  module Strategies
    class LinkedIn
      option :client_options, {
        :site => 'https://api.linkedin.com',
        :authorize_url => 'https://www.linkedin.com/oauth/v2/authorization?response_type=code',
        :token_url => 'https://www.linkedin.com/oauth/v2/accessToken',
        :token_method => :post_with_query_string
      }
    end
  end
end

Just want to say thank you - this is the solution for what is effectively an intermittent failure.

Devs - please create a patch into upstream here.

For those wondering how to implement, the easiest solution for now is to drop this code into config/initializers/linkedin_monkey_patch.rb.