OAuth 2.0 Authentication

Viadeo Platform uses OAuth 2.0 protocol for authentication and authorization.

Viadeo members get the choice whether to authorize your website or application to access their data. Once authorization has been given your site will be able to access all of the information on a member’s profile including their name, profile picture or contacts list (if they have chosen to share it).

If the member does not accept the bridge between your site or application and Viadeo you will receive an empty feed when querying the user profile and you will not be able to access their information.

Authentication using OAuth

OAuth 2.0 is a simple way of publishing and interacting with protected data. It also provides a safer and more secure way for Internet users to give external sites access to their personal information.

Using OAuth 2.0 entails getting an access token for a Viadeo user via a redirect to Viadeo. After the access token and access secret are returned to you, you can perform authorized requests as defined by the OAuth protocol:

https://api.viadeo.com/me?access_token=xxx

Warning : Please use the secure.viadeo.com site for requesting your token. And use the api.viadeo.com site for your graph API request.

Use the official “Connect with Viadeo” button on your site/app to direct visitors to the Viadeo login page.

Web Server

The web server profile is suitable for clients capable of interacting with the end-user’s user-agent (typically a web browser) and capable of receiving incoming requests from the authorization server (capable of acting as an HTTP server).

The steps to obtain an access token are:

  • Register your application to get an API key and secret. Your API key is your client_id and your API secret is your client_secret.
  • Redirect the user to https://secure.viadeo.com/oauth-provider/authorize2 with your client_id and the URL the user should be redirected back to after the authorization process (redirect_uri). The display=popup parameter should be used when you want to open the authentication page in a popup of size 780×480. The lang=fr|en|it|es|de|pt parameter should be used to display the page in another language (default is fr / french or navigation language of the user if there is a cookie). Example (line breaks are for display purposes only):
    https://secure.viadeo.com/oauth-provider/authorize2?
    response_type=code&
    display=popup&
    lang=en&
    client_id=<YOUR_API_KEY>&
    redirect_uri=http://www.example.com/oauth_redirect
  • If the user authorizes your application, our server redirects the user back to the redirect URI you specified with a verification string the code argument. This code can then be exchanged for an OAuth access token by posting to https://secure.viadeo.com/oauth-provider/access_token2. Pass the exact same redirect_uri as in the previous step (line breaks are for display purposes only):
    POST /oauth-provider/access_token2 HTTP/1.1
    Host: secure.viadeo.com
    Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&
    client_id=<YOUR_API_KEY>&
    client_secret=<YOUR_API_SECRET>&
    redirect_uri=http://www.example.com/oauth_redirect&
    code=<CODE>
     

    In response, you will get the following json response:

    {
    "access_token": "<ACCESS_TOKEN>",
    "token_type": "bearer"
    }
  • Use the access token returned by the request above to make requests on behalf of the user. You can use it from two ways :
    1. Passing the access_token as HTTP parameter :
      https://api.viadeo.com/me?access_token=<ACCESS_TOKEN>

      (or in body for POST requests)

    2. Passing the access token through the HTTP header ‘Authorization’ setting it to value ‘Bearer <ACCESS_TOKEN>’

Note

If the user does not authorize your application, our server redirects the user to the redirect URI you specified, and adds the error and error_description parameters to the query component.

Note

The access token has an infinite time to live (TTL). The user should revoke the token on our website.

  • In order to revoke a token (i.e. remove the bridge between your application and Viadeo) use  https://secure.viadeo.com/oauth-provider/revoke_access_token2 with access token as parameter
https://secure.viadeo.com/oauth-provider/revoke_access_token2?
client_id=<YOUR_API_KEY>&
client_secret=<YOUR_API_SECRET>&
redirect_uri=http://www.example.com/oauth_redirect&
access_token=<ACCESS_TOKEN_TO_REVOKE>
 

In response, you will get the following json response:

{"token_revoked"}

User-Agent

The user-agent profile is suitable for client application residing in a user-agent, typically implemented in a browser using a scripting language such as JavaScript. There clients cannot keep client secrets confidential and the authentication of the client is based on the user-agent’s same-origin policy.

Unlike the Web Server profile in which the client makes separate requests for end-user authorization and access token, the client receive the access token as a result of the end-user authorization request in the form of an HTTP redirection. The client requests the authorization server to redirect the user-agent to another web server or local resource accessible to the user-agent which is capable of extracting the access token from the response and passing it to the client.

This user-agent profile does not utilize the client secret since the client executables reside on the end-user’s computer or device which makes the client secret accessible and exploitable. Because the access token is encoded into the redirection URI, it may be exposed to the end-user and other applications residing on the computer or device.

The steps to obtain an access token are:

  • Register your application to get an API key (the secret won’t be used with this profile). Your API key is your client_id.
  • Redirect the user to https://secure.viadeo.com/oauth-provider/authorize2 with your client_id and the redirect URI. Set the response_type to token. For example (line breaks are for display purposes only):
    https://secure.viadeo.com/oauth-provider/authorize2?
    response_type=token&
    client_id=<YOUR_API_KEY>&
    state=<RANDOM_NUMBER>&
    redirect_uri=http://www.example.com/callback
  • After the user authorizes your application, our server redirects the user to the redirect URI you specified with the access token in the URI fragment:
    http://www.example.com/callback#access_token=<ACCESS_TOKEN>&state=<SAME_RANDOM_NUMBER>
  • Use the access token returned by the request above to make requests on behalf of the user. You can use it from two ways :
    1. Passing the access_token as HTTP parameter :
      https://api.viadeo.com/me?access_token=<ACCESS_TOKEN>

      (or in body for POST requests)

    2. Passing the access token through the HTTP header 'Authorization' setting it to value 'Bearer <ACCESS_TOKEN>'

Note

If the user does not authorize your application, our server redirects the user to the redirect URI you specified, and adds the error and error_description parameters to the URI fragment.

Cancel button

By default the cancel button of the OAuth page use javascript call history.back() in order to redirect user to his last visited page, but for many reasons you could want to redirect him to a specific URL. You can then use the 'cancel_url' parameter in order to specify this page URL.

For instance :

https://secure.viadeo.com/oauth-provider/authorize2?
response_type=code&
display=popup&
lang=en&
client_id=<YOUR_API_KEY>&
redirect_uri=http://www.example.com/oauth_redirect&
cancel_url=http://www.example.com/oauth_cancelled

Client libraries

Depending on your programming language several client libraries are provided for OAuth. Go to the OAuth site for the full list.

Quotas

An API key allows you to proceed to 5000 calls per day. If you need an upgrade, please feel free to contact our partnerships team.