Is there any way to count the number of calls to the post method in Web API?
For example: I want to disable user if he 3 times enters wrong username and password combination.
So after third call in a row, of the post method of Web API controller I want to do something (for example I will disable user somehow or something else).
How to count this calls to API controller method? Is there any already define property or method for this case?
UPDATE:
This is my Web API method:
[Route("login")]
public async Task<HttpResponseMessage> LoginUser(Login model)
{
using (AuthRepository repo = new AuthRepository())
{
Regex rgx = new Regex("[^a-zA-Z0-9 -]");
string deviceId = rgx.Replace(model.DeviceId, "");
var request = HttpContext.Current.Request;
var user = await repo.FindUserAsync(deviceId, model.PIN);
var tokenServiceUrl = request.Url.GetLeftPart(UriPartial.Authority) + request.ApplicationPath + "/Token";
if (user != null)
{
MatrixLogManager.Debug("User " + model.DeviceId + "successfully logged in on MatrixSTS.");
try
{
using (var client = new HttpClient())
{
var requestParams = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("grant_type", "password"),
new KeyValuePair<string, string>("username", deviceId),
new KeyValuePair<string, string>("password", model.PIN)
};
var requestParamsFormUrlEncoded = new FormUrlEncodedContent(requestParams);
var tokenServiceResponse = await client.PostAsync(tokenServiceUrl, requestParamsFormUrlEncoded);
var responseString = await tokenServiceResponse.Content.ReadAsStringAsync();
var responseCode = tokenServiceResponse.StatusCode;
var responseMsg = new HttpResponseMessage(responseCode)
{
Content = new StringContent(responseString, Encoding.UTF8, "application/json")
};
return responseMsg;
}
}
catch (Exception ex)
{
MatrixLogManager.Error("Error: ", ex);
throw ex;
}
}
else
{
//IF LOGIN FAILD I WOULD NEED TO COUNT SOMEHOW THAT ONE CALL WAS UNSUCCESSFUL, AFTER THIRD I WILL BLOCK USER, BUT ONLY IT HE MAKES SAME MISTAKE 3 TIMES IN A ROW.
//Adding simple int counter didn't worked for me.
return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Invalid username or password.");
}
}
}
You should save this stuff in the DB in a sub table called let's say UserInvalidFailureLogins:
The table will have a foreign key to the userId and will have a counter value.
When a user tries to login, you first check how many failures the users has and
if he exceeded the threshold then don't let him login until you reset the number of attempts.
If the user fails a login, you increment the counter by 1.
One simple way you could implement this is keeping a static Dictionary<TKey, TValue> which maps users to the amount of times they've attempted to log-in. Note this can bloat memory quite a bit depending on the number of users and how long you want to keep their counting status:
private static readonly Dictionary<string, int> loginAttemptsByDeviceId =
new Dictionary<string, int>();
And then add this to your else clause:
else
{
int loginAttempts;
if (loginAttemptsByDeviceId.TryGetValue(deviceId, out loginAttempts)
{
loginAttemptsByDeviceId[deviceId] = ++loginAttempts;
}
else
{
loginAttemptsByDeviceId.Add(deviceId, 1);
}
return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Invalid username or password.");
}
And of course checking the value prior to logging the user in:
int currentUserAttempts;
if (loginAttemptsByDeviceId.TryGetValue(deviceId, out currentUserAttempts) &&
currentUserAttempts == MaxLoginThreshhold)
{
// Return some error to the user.
}
This assumes a DeviceID is a unique identifier per user. If it isn't, use a value which will uniquely will identify your users.
Note i would advice you for the long term, to keep this data persistent somewhere (if needed). Also note that this doesn't take into account concurrent requests which may be attempted. If that is an issue, consider using a ConcurrentDictionary<TKey, TValue> instead and locking in relevant places.
Related
I'm really stuck in this for days. I'm using LinqToTwitter with ASP.Net C#
I'm trying to get the new DirectMessages work, I followed the examples but with no luck.
I want the function to work on Button click, so what I tried is:
BtnClick:
`
protected void Btn1_Click(object sender, EventArgs e)
{
string x = MyTest().Result;
}
`
MyTest:
`
static async Task<string> mytest()
{
AspNetAuthorizer auth = DoAuthorization();
var twitterCtx = new TwitterContext(auth);
List<DMEvent> AllDmEvents = new List<DMEvent>();
string Cursor;
DirectMessageEvents dmResponse =
await
(from dm in twitterCtx.DirectMessageEvents
where dm.Type == DirectMessageEventsType.List &&
dm.Count == 10
select dm)
.SingleOrDefaultAsync(); //In debugging mode, after this line is executed, it will go away and keep loading forever and never come back
AllDmEvents.AddRange(dmResponse.Value.DMEvents);
Cursor = dmResponse.Value.NextCursor;
string xxx = (JsonConvert.SerializeObject(AllDmEvents, Formatting.None));
return xxx;
}
`
DoAuthorization:
`
static AspNetAuthorizer DoAuthorization()
{
AspNetAuthorizer auth = new AspNetAuthorizer();
auth = new AspNetAuthorizer
{
CredentialStore = new SessionStateCredentialStore
{
ConsumerKey = "MyConsumerKey",
ConsumerSecret = "MyConsumerSecret ",
OAuthToken = "MyOAuthToken ",
OAuthTokenSecret = "MyOAuthTokenSecret ",
ScreenName = "MyUserName",
UserID = 12345678
}
};
return auth;
}`
Any help would be SO much appreciated!
The DoAuthorization() in your code looks like it came from the Console sample and that won't work with ASP.NET. The reason is that ASP.NET is stateless and the OAuth process brings you to the Twitter site and back. So, you have to break up the authorization into two pieces: Begin and Complete.
I'm guessing that you're using ASP.NET MVC, but the concept is similar (but different) if you're using WebForms). Here's the Begin part:
public class OAuthController : AsyncController
{
public ActionResult Index()
{
return View();
}
public async Task<ActionResult> BeginAsync()
{
var auth = new MvcAuthorizer
{
CredentialStore = new SessionStateCredentialStore
{
ConsumerKey = ConfigurationManager.AppSettings["consumerKey"],
ConsumerSecret = ConfigurationManager.AppSettings["consumerSecret"]
}
};
Notice that it uses an MvcAuthorizer, populating credentials. Once you have the MvcAuthorizer instance, redirect the user to Twitter for authorization, like this:
string twitterCallbackUrl = Request.Url.ToString().Replace("Begin", "Complete");
return await auth.BeginAuthorizationAsync(new Uri(twitterCallbackUrl));
}
That send the user to the Twitter authorization page, where they give your app permission to operate on their behalf. Twitter will redirect the user back to twitterCallback, which is why the code above modified the URL to replace the Begin with Complete in your URL. So, Twitter redirect the user back to your app, which calls the CompleteAsync() action below:
public async Task<ActionResult> CompleteAsync()
{
var auth = new MvcAuthorizer
{
CredentialStore = new SessionStateCredentialStore()
};
await auth.CompleteAuthorizeAsync(Request.Url);
// This is how you access credentials after authorization.
// The oauthToken and oauthTokenSecret do not expire.
// You can use the userID to associate the credentials with the user.
// You can save credentials any way you want - database,
// isolated storage, etc. - it's up to you.
// You can retrieve and load all 4 credentials on subsequent
// queries to avoid the need to re-authorize.
// When you've loaded all 4 credentials, LINQ to Twitter will let
// you make queries without re-authorizing.
//
//var credentials = auth.CredentialStore;
//string oauthToken = credentials.OAuthToken;
//string oauthTokenSecret = credentials.OAuthTokenSecret;
//string screenName = credentials.ScreenName;
//ulong userID = credentials.UserID;
//
return RedirectToAction("Index", "Home");
}
Now that your app has the user's permissions, grab their tokens and hold them for subsequent queries so you don't have to continue the OAuth process every time the user wants to use your app. Please see the notes in the code on how to get those credentials.
Now, when you want to perform a query, instantiate an MvcAuthorizer, like this:
static async Task<string> mytest()
{
var auth = new MvcAuthorizer
{
CredentialStore = new SessionStateCredentialStore()
};
var twitterCtx = new TwitterContext(auth);
List<DMEvent> AllDmEvents = new List<DMEvent>();
string Cursor;
DirectMessageEvents dmResponse =
await
(from dm in twitterCtx.DirectMessageEvents
where dm.Type == DirectMessageEventsType.List &&
dm.Count == 10
select dm)
.SingleOrDefaultAsync(); //In debugging mode, after this line is executed, it will go away and keep loading forever and never come back
AllDmEvents.AddRange(dmResponse.Value.DMEvents);
Cursor = dmResponse.Value.NextCursor;
string xxx = (JsonConvert.SerializeObject(AllDmEvents, Formatting.None));
return xxx;
}
You can see how the first statement of your modified myTest() method instantiates MvcAuthorizer with SessionStateCredentialStore, holding your credentials.
Finally, at the point in time where you want the user to authorize your app with Twitter (log in, on first query, or any other timing of your choice), check to see whether they're already authorized and re-direct if not, like this:
public ActionResult Index()
{
if (!new SessionStateCredentialStore().HasAllCredentials())
return RedirectToAction("Index", "OAuth");
return View();
}
Notice how the code above calls HasAllCredentials() on a SessionStateCredentialStore instance. I assume that you'll be adding your own logic to determine when to load the user's credentials, but wanted you to be aware of the HasAllCredentials() helper method to make it easier to know when the user must be authorized.
For more info, visit the LINQ to Twitter OAuth docs. The LINQ to Twitter source code also has Samples on how to use OAuth.
I am having trouble implementing a function to get the list of favorite tweets for a given user using tweetsharp. Does anyone have suggestion on how i should go about doing this? Thanks!
[HttpGet]
public JsonResult GetTwitterFavoritesList(string oauth_token, string oauth_verifier, string screen_name)
{
try
{
var requestToken = new OAuthRequestToken { Token = oauth_token };
TwitterService service = new TwitterService(TWITTER_CONSUMER_KEY, TWITTER_CONSUMER_SECRET);
OAuthAccessToken accessToken = service.GetAccessToken(requestToken, oauth_verifier);
service.AuthenticateWith(accessToken.Token, accessToken.TokenSecret);
ListFavoriteTweetsOptions options = new ListFavoriteTweetsOptions();
options.ScreenName = screen_name;
options.MaxId = 100;
IEnumerable<TwitterStatus> favoritesList = service.ListFavoriteTweets(options);
return Json(favoritesList, JsonRequestBehavior.AllowGet);
}
catch(Exception)
{
return Json(false);
}
}
Your problem is probably the MaxId = 100. That property is used for "paging" and setting it to 100 means no tweet with an id of more than 100 will be returned. Given all current tweets are in the billions, the query won't return anything.
If you were trying to restrict the number of tweets returned, you want to use the Count property, if one exists for that method.
I resolved this issue by using the access token and access secret i got from the initial authorization. So to get favorites i did not need to do a second authorization. i saved the access token and secret and just used them again in this line
service.AuthenticateWith(accessToken.Token, accessToken.TokenSecret);
I develop au Universal App using MVVM-Light.
On a page, there is a list of comments coming from a WebService. If the current user is the author of a comment, I show a FlyoutMenu allowing him to "Edit" or "Delete" its comment. There is also a AppBarButton for adding a new comment:
My problem is that the comments are never refreshed after the first load of this page...
I use a "LoadComments()" method in the ViewModel that allows me to get the comments when I arrive on the page, but also after editing, deleted or added an item:
private async void LoadComments()
{
List<Comment> commentsWS = await WebServiceGetCommentList();
if (commentsWS != null)
Comments = new ObservableCollection<Commentaire>(commentsWS);
}
This method so calls another method "WebServiceGetCommentList()" that prepares the call to the WebService, in the same ViewModel:
private async Task<List<Comment>> WebServiceGetCommentList()
{
// Parameters
List<KeyValuePair<string, string>> parametres = new List<KeyValuePair<string, string>>();
parametres.Add(new KeyValuePair<string, string>("option", _currentUserAccount.option));
parametres.Add(new KeyValuePair<string, string>("id_article", Article.id_article.ToString()));
// Call WebService and deserialize
Exception custEx = null;
try
{
List<Comment> comments = await WebServices.GetCommentList(_currentUserAccount.url, parametres, "");
return comments;
}
// Exceptions
catch (Exception e)
{
...
}
return null;
}
I then go in the "GetComments()" method on the "WebServices" class:
public static async Task<List<Comment>> GetCommentList(String url, List<KeyValuePair<String, String>> parametres, String protocol)
{
// Call WebService and deserialize
var response = await JSONParser.getJSONFromUrl(url, parametres, "");
List<Comment> comments = new List<Comment>();
WsResponse wsResponse = ManageWsReponse(response, Constants.WebServiceTask.GetCommentList.Value);
try
{
WsResponseResult wsResponseResult = JsonConvert.DeserializeObject<WsResponseResult>(wsResponse.data.ToString());
comments = JsonConvert.DeserializeObject<List<Comment>>(wsResponseResult.result.ToString());
return comments;
}
catch (Exception e)
{
throw new DeserializeException("Deserialize exception", e, DateTime.Now, "Comment");
}
}
This method calls the "getJSONFromUrl()" method in the "JSONParser" class that launches the "client.GetAsync()":
public static async Task<string> getJSONFromUrl(String url, List<KeyValuePair<String, String>> parameters, String protocol)
{
var client = new HttpClient();
// Preparing URI
string sParameters = null;
int i = 1;
foreach (var param in parameters)
{
sParameters += param.Key + "=" + param.Value;
sParameters += i != parameters.Count ? "&" : string.Empty;
i++;
}
var uri = new Uri(url + "?" + sParameters);
// Calls the WebService
var response = await client.GetAsync(uri, HttpCompletionOption.ResponseHeadersRead);
// Code and results
var statusCode = response.StatusCode;
// EnsureSuccessStatusCode throws exception if not HTTP 200
response.EnsureSuccessStatusCode();
// responseText
var responseText = await response.Content.ReadAsStringAsync();
return responseText;
}
I can add, delete or edit a comment with success, but when I'm back to this method "LoadComments()", the changes are not taken into account, and I get the same list than at the first call...
I also placed breakpoints in the "GetJSONFromURL()" method and I don't see the added, deleted or edited comments in the response var.
In the same time, if I copy the URI in a brower, for calling the same WebService with the same parameters, the changes are taken into account.
=> I think so there is a caching on client.GetAsync(), but I don't see how to desactive it, or force it to refresh datas...
I tried this solution httpclient-caching that doesn't work for me.
I think so that there is cache managing cause when I
That's the platform caching. I haven't had any success with the Cache-Control headers, the most reliable way to address the issue is to make sure the request is different.
Add an additional parameter - a timestamp. As the request is different, the platform cannot used the cached response.
parametres.Add(new KeyValuePair<string, string>("mytmstmp", DateTime.Now.Ticks);
Or: Use an additional header that allows for a date. I've used:
"If-Modified-Since", DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)
I've created a Web API application that's working on server. On the client side, for testing I have android application.
It is pretty simple. User enters username and password and sends them with two more strings DeviceId and DeviceName.
The user gets verified by already defined service and if everything goes well 3 things happens:
User gets created and saved in database.
Information e-mail is sent to a user.
Access token is returned to client.
But after making some changes in my code, responses from server begin to take too long, and for mobile users timeout occurs too often.
I've notice that timeout started to happens after I've added one particular part of code:
Regex rgx = new Regex("[^a-zA-Z0-9 -]");
string deviceId = rgx.Replace(model.DeviceId, "");
This part is used to trim all non alpha-numeric characters from DeviceID string. This is important because before adding this code I've got JSON related error if user had slash or backslash in this variable.
So my question is: Is it possible that Regex class and its methods make some mess on the server and makes response from server takes too long?
If it is any of help, this is the code of an problematic call:
[Route("registration/request")]
public async Task<HttpResponseMessage> RegistrationRequest(Registration model)
{
try
{
MatrixLogManager.Info("Starting token creating.");
var request = HttpContext.Current.Request;
var tokenServiceUrl = request.Url.GetLeftPart(UriPartial.Authority) + request.ApplicationPath + "/Token";
MatrixLogManager.Info("Checking if model is valid.");
if (!ModelState.IsValid)
{
return Request.CreateResponse(BadRequest(ModelState));
}
using (MatrixServiceLayerLogin login = new MatrixServiceLayerLogin())
{
if (login.LoginUser(model.UserName, model.Password, true, true))
{
var personId = login.GetPersonId();
MatrixLogManager.Debug("User " + model.UserName + " successfully logged in on MatrixSTS.");
try
{
using (var authRepo = new AuthRepository())
{
MatrixLogManager.Info("Changing deviceID format.");
Regex rgx = new Regex("[^a-zA-Z0-9 -]");
model.DeviceId = rgx.Replace(model.DeviceId, "");
MatrixLogManager.Debug(model.DeviceId);
MatrixLogManager.Debug("Saving user: " + model.DeviceId);
ApplicationUser appUser = new UserFactory().CreateApplicationUser(model, personId);
IdentityResult result = await authRepo.RegisterUser(appUser);
EMailService.SendEmail(appUser);
IHttpActionResult errorResult = GetErrorResult(result);
MatrixLogManager.Debug("Saved user: " + model.DeviceId);
if (errorResult != null)
{
return Request.CreateResponse(errorResult);
}
using (var client = new HttpClient())
{
var requestParams = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("grant_type", "password"),
new KeyValuePair<string, string>("username", appUser.UserName),
new KeyValuePair<string, string>("password", "0000")
};
var requestParamsFormUrlEncoded = new FormUrlEncodedContent(requestParams);
var tokenServiceResponse = await client.PostAsync(tokenServiceUrl, requestParamsFormUrlEncoded);
var responseString = await tokenServiceResponse.Content.ReadAsStringAsync();
var responseCode = tokenServiceResponse.StatusCode;
var responseMsg = new HttpResponseMessage(responseCode)
{
Content = new StringContent(responseString, Encoding.UTF8, "application/json")
};
responseMsg.Headers.Add("PSK", appUser.PSK);
return responseMsg;
}
}
}
catch (Exception ex)
{
MatrixLogManager.Error("Error: ", ex);
throw ex;
}
}
else
{
return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Invalid username or password.");
}
}
}
catch (Exception ex)
{
MatrixLogManager.Error(string.Format("Error while trying registring user: Exception = {0} InnerException {1}", ex.Message, ex.InnerException.Message));
throw;
}
}
P.S. One more thing. When I test this code on my machine, locally response time is not so long, and everything goes well. The problem is only when this code is published to a server, and it happens times to times.
I see two problems here:
Regex rgx = new Regex("[^a-zA-Z0-9 -]");
model.DeviceId = rgx.Replace(model.DeviceId, "");
First, by using the regex constructor you're forcing the system to create a new Regex object every time you apply it. If you use one of the static methods instead, the system automatically caches the Regex object the first time you use it. Or you can construct the Regex ahead of time and store it in a static variable.
Second, you're replacing the unwanted characters one at a time, which is grievously inefficient. Add a + to the end of your regex to match whole sequences of the undesired characters at a time.
model.DeviceId = Regex.Replace(model.DeviceId, "[^a-zA-Z0-9 -]+", "");
Having read that since late last year LinkedIn finally have finally allowed us to retrieve the email address for the currently logged on user I've been failing to do so. I've read all the posts I can find on SO and elsewhere and as far as I can tell my code should be working. It returns just fine with all the other fields,
however, the email address field is always empty.
Here's my LinkedInClient class;
public class LinkedInClient2 : OAuthClient
{
public static readonly ServiceProviderDescription LinkedInServiceDescription = new ServiceProviderDescription
{
AccessTokenEndpoint =
new MessageReceivingEndpoint(
"https://api.linkedin.com/uas/oauth/accessToken",
HttpDeliveryMethods.GetRequest | HttpDeliveryMethods.AuthorizationHeaderRequest),
RequestTokenEndpoint =
new MessageReceivingEndpoint(
"https://api.linkedin.com/uas/oauth/requestToken?scope=r_basicprofile+r_emailaddress",
HttpDeliveryMethods.GetRequest | HttpDeliveryMethods.AuthorizationHeaderRequest),
UserAuthorizationEndpoint =
new MessageReceivingEndpoint(
"https://www.linkedin.com/uas/oauth/authenticate",
HttpDeliveryMethods.GetRequest | HttpDeliveryMethods.AuthorizationHeaderRequest),
TamperProtectionElements = new ITamperProtectionChannelBindingElement[] { new HmacSha1SigningBindingElement() },
ProtocolVersion = ProtocolVersion.V10a
};
public LinkedInClient2(string consumerKey, string consumerSecret, IConsumerTokenManager tokenManager)
: base("linkedIn", LinkedInServiceDescription, tokenManager)
{
}
[SuppressMessage("Microsoft.Design", "CA1031:DoNotCatchGeneralExceptionTypes", Justification = "We don't care if the request fails.")]
protected override AuthenticationResult VerifyAuthenticationCore(AuthorizedTokenResponse response)
{
// See here for Field Selectors API http://developer.linkedin.com/docs/DOC-1014
const string ProfileRequestUrl = "https://api.linkedin.com/v1/people/~:(id,first-name,last-name,email-address,headline,industry,summary,picture-url)";
string accessToken = response.AccessToken;
var profileEndpoint = new MessageReceivingEndpoint(ProfileRequestUrl, HttpDeliveryMethods.GetRequest);
HttpWebRequest request = this.WebWorker.PrepareAuthorizedRequest(profileEndpoint, accessToken);
try
{
using (WebResponse profileResponse = request.GetResponse())
{
using (Stream responseStream = profileResponse.GetResponseStream())
{
XDocument document = LoadXDocumentFromStream(responseStream);
string userId = document.Root.Element("id").Value;
// User Profile Fields - https://developer.linkedin.com/documents/profile-fields
string firstName = document.Root.Element("first-name").Value;
string lastName = document.Root.Element("last-name").Value;
string userName = document.Root.Element("email-address").Value; // <<<<<< ERROR - always empty
var extraData = new Dictionary<string, string>();
extraData.Add("accesstoken", accessToken);
extraData.Add("name", userName);
extraData.AddDataIfNotEmpty(document, "picture-url");
extraData.AddDataIfNotEmpty(document, "location");
extraData.AddDataIfNotEmpty(document, "headline");
extraData.AddDataIfNotEmpty(document, "summary");
extraData.AddDataIfNotEmpty(document, "industry");
return new AuthenticationResult(
isSuccessful: true, provider: this.ProviderName, providerUserId: userId, userName: userName, extraData: extraData);
}
}
}
catch (Exception exception)
{
return new AuthenticationResult(exception);
}
}
internal static XDocument LoadXDocumentFromStream(Stream stream)
{
const int MaxChars = 0x10000; // 64k
XmlReaderSettings settings = new XmlReaderSettings()
{
MaxCharactersInDocument = MaxChars
};
return XDocument.Load(XmlReader.Create(stream, settings));
}
}
}
I realise that I'm supposed to add the scope=r_emailaddress to the RequestTokenEndpoint (which I have) but from the fiddler traces I can't even see that endpoint being fetched. Basically, it only every uses the AccessTokenEndpoint which presumably is something to do with my problem.
This is approximately how my ASP.Net MVC4.5 controller looks;
[AllowAnonymous]
public virtual ActionResult LinkedIn(string returnUrl)
{
var tokenMgr = new RepoOAuthTokenManager(_iOtk, LinkedInAppKey, LinkedInAppSecret);
var iacp = new LinkedInClient2(LinkedInAppKey, LinkedInAppSecret, tokenMgr); // if none specified, LinkedInClient uses the AuthenticationOnlyCookieOAuthTokenManager which doesn't work for APIs
var ioadp = new MyOauthDataProvider();
var oasm = new OpenAuthSecurityManager(this.HttpContext, iacp, ioadp);
var redirectUri = Url.ActionFullyQualified(this.nameof(c => c.LinkedIn(null)), null, new RouteValueDictionary(new { returnUrl = returnUrl }));
AuthenticationResult ar = oasm.VerifyAuthentication(redirectUri);
if (ar.Error == null)
{
if (ar.IsSuccessful)
DoSomethingResultingInRedirect(redirectUri); // OK
else
oasm.RequestAuthentication(redirectUri);
}
else
ModelState.AddModelError("", ar.Error.Message);
return View(this.nameof(c=>c.Login(null)));
}//LinkedIn
I can't say I completely understand the extensibility mechanism in DotNetOpenAuth and I may be misunderstanding something so I'd appreciate some pointers.
Am I missing a step somewhere?
I have two solutions to this, although I still don't understand how to get my existing code to work as I'd expect, but hopefully this may help someone else;
(1) I went to Making it easier for you to add default member permissions and clicked on the API admin page.
Here you can select what scopes you want requested by default. It didn't work until I clicked a box (now disappeared) that was worded along the lines of "[x] Make this permanent". Once I'd done that I started to get the email-address field populated as I was expecting.
(2) I tried using the OAuth2 URL instead from information here and it seemed to work. I have also found an implementation of an OAuth2 client here which looks like a good start. I suspect that in the long run, an OAuth2 upgrade (once the spec is more static) will yield better overall mileage.
For now though, I'm out of the pit of despair, but other answers are still welcome!
I had a similar issue.. maybe this is relevant for you:
My Request Token Call is:
https://api.linkedin.com/v1/people/~:(id,first-name,last-name,headline,member-url-resources,picture-url,location,public-profile-url,email-address)?format=json
but the json response is:
array(8) {
["emailAddress"]=>
string(18) "email#email.com"
["firstName"]=>
string(3) "Tim"
...
Note that in the first case email is named email-address, in the second emailAddress.