[DEV] Implement LinkedInAuthService (token refresh logic)

[artcava]

Overview

Implement ILinkedInAuthService and its concrete implementation that calls the LinkedIn OAuth 2.0 token refresh endpoint to exchange a refresh_token for a new access_token.

Depends on: #56

Tasks

• Create src/Abstraction/ILinkedInAuthService.cs:

public interface ILinkedInAuthService
{
    Task<(string accessToken, string refreshToken)> RefreshTokenAsync(string refreshToken);
}

• Create src/Services/LinkedInAuthService.cs:
  • POST to https://www.linkedin.com/oauth/v2/accessToken
  • Body: grant_type=refresh_token, refresh_token, client_id, client_secret
  • Parse LinkedInTokenResponse (accessToken, refreshToken, expiresIn)
  • Log token expiry date (for monitoring)
• Read client_id and client_secret via IKeyVaultService (secrets: LinkedInClientId, LinkedInClientSecret)
• Register in Program.cs as Transient
• Write unit tests with mocked HttpClient and IKeyVaultService

LinkedIn Endpoint Reference

POST https://www.linkedin.com/oauth/v2/accessToken
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=<token>
&client_id=<client_id>
&client_secret=<client_secret>

Acceptance Criteria

• Returns new access_token and refresh_token on success
• Throws descriptive exception on HTTP error (401, 400)
• Unit tests cover success, expired refresh token, and network error scenarios

Notes

• LinkedIn may or may not return a new refresh_token in the response — handle both cases gracefully (only update Key Vault if a new one is returned)
• OpenID Connect is already enabled on the LinkedIn Developer App ✅

References

• Analysis document — Section 5, Step 5
• LinkedIn OAuth 2.0 Refresh Tokens

[github-actions]

👋 Thanks for opening this issue! A maintainer will review it soon and label it as approved if it can proceed to development.

[artcava]

Deferred

This issue is blocked and deferred until the LinkedIn token refresh strategy is unblocked.

LinkedInAuthService.RefreshTokenAsync() requires a valid refresh_token as input — which is currently unavailable in this setup. Implementing the service now would produce untestable code with no viable execution path.

See #56 for the full reasoning behind this deferral decision. This issue will be re-evaluated alongside #56 when a viable refresh token strategy is confirmed.