OAuth Security Considerations
The Indeed OAuth framework was expressly designed so that you will never need to share your secrets with another organization. In particular, you should never need to provide your Indeed password or Indeed OAuth Client Secret to another organization. This is true in both the case of 3-Legged OAuth and 2-Legged OAuth.
Using 3-Legged OAuth
If an OAuth application is using 3-Legged OAuth (also known as the Authorization Code flow) then you never need to share your Indeed password or Indeed OAuth Client Secret with the application. Instead, you can use the OAuth Consent Screen to grant permission to the application to act on your behalf without sharing any secret information.
Imagine that you want to grant an advertising agency named AAA Advertising permission to sponsor jobs on your behalf. Here’s how 3-Legged OAuth works:
- AAA Advertising registers their own OAuth Client ID and Secret.
- When you want to use AAA Advertising to sponsor a job, you navigate to their application, log in to Indeed, and submit the Indeed OAuth Consent Screen (see figure below) to grant the advertising agency permission to act on your behalf.
- If your Indeed account is associated with multiple employers then you might be presented with a screen that asks you to select a particular employer account.
- AAA Advertising can then call Indeed APIs on your behalf.
Here’s the magic of OAuth. At no point in this process do you share any secret information with AAA Advertising. You log in to Indeed using the standard Indeed login page hosted at Indeed. You provide consent to share your information with AAA Advertising by submitting the Indeed OAuth Consent Screen hosted on the Indeed website. Your secrets are never leaked to AAA Advertising.
Using 2-Legged OAuth
If an OAuth application is using 2-Legged OAuth (also known as the Client Credentials flow) then the application does not require user interaction. In particular, there is no step when a user submits an OAuth Consent Screen.
When an application is using 2-Legged OAuth, you should use the Indeed Users page to grant permission for the application to act on your behalf. Follow these steps:
- Navigate to the Indeed Users Page at https://account.indeed.com/users.
- Ensure that the proper employer account is selected. You can use the select list that appears on the top-right of the page to select a particular employer account.
- Click the Add users button.
- Add a user to your company by entering their email address.
- Select the level of access that you want to grant to the new user.
- Click the Save and notify new users button.
The new user will receive an email inviting them to join your organization on Indeed. If they accept the invitation then they will be granted the permissions that you provided them.
You should think of AAA Advertising just like any other person that you’ve invited to your organization. You can use the Indeed Users page to control the permissions that you grant to AAA Advertising and you can even use the page to remove AAA Advertising from your organization in the future.
Retrieving your Employer ID
If another company wants to act on your behalf when using 2-Legged OAuth then they need to know your Employer ID. You can find the Employer ID associated with your organization on the bottom of the Indeed Users page:
The Employer ID appears in a smallish font right above the footer of the page. The Employer ID is not secret — feel free to share it with other companies.