Auth provider for Linkedin not working #8831
Comments
andersengenolsen
added
bug
SOLVEDAfter some debugging I managed to solve this. In case anyone else stumbles across this, since it's not well documented: If you're using Linkedin API V2, you do need to add some custom parameters to the Linkedin provider. The original issue was that the expected iss was undefined. Simply add issuer to OAuthConfig for the Linkedin provider:
This triggers a new error: 'jwks_uri must be configured on the issuer'. Add jwks_endpoint to OAuthConfig:
Again, this triggers a new error, where nextauth complains that the profile id is missing. Linkedin API V2 use "sub" not "id". Solved by overriding the profile function in OAuthConfig: Complete working provider for Linkedin using Linkedin API V2: |
|
This issue should be opened again, because every new app using SignIn with Linked will run into this issue (as I did). Reason: Microsoft has deprecated the old API as of August 1, 2023!
I'd suggest to keep the current Deprecated API:
New API
|
|
Hi, Fair point. Closed since I managed to solve it by setting some custom parameters, although I used quite some time on it. Reopening. Either way: Did you manage to get it to work using the provided solution? |
|
Yes, your solution works great. It saved me a lot of time digging deeper myself. :) |
|
Is it still working for you guys? Even with the snippet posted, I'm still getting an error: (I've double checked the client_id and client_secret multiple times already.. |
It's working. Can you please provide the complete code of [...nextauth.js]? Remember to remove ids and secrets. |
|
Thanks for you reply :) My code: |
|
I'm using |
God bless, this is the right solution and docs should be updated |
|
@andersengenolsen |
Hi, The sub parameter is an unique user identifier issued "within" the ID token (JWT) from Linkedin API V2 after authenticating. It's simply the user ID. Documentation available here: https://learn.microsoft.com/en-us/linkedin/consumer/ Also a bit out of scope, since we're discussing Nextauth.. :) |
Thanks for you response Basically they have restricted most of the api to a normal developer i believe? |
|
I'm still receiving Edit: This is working for me but I'm still receiving OAuthCallbackError intermittently. If you want to use it with an adapter you will need to increase the access_token default column length because Linkedin's access_token has more than 255 characters. |
Hi @jormaj , did you find a workaround for this ? I'm facing the same error.. |
|
Has anyone resolved this? I'm also getting the invalid_client error and can't work out why. |
|
I tried the same code in my route.ts inside app/api/auth/[...nextauth] folder: yet still I am running into this error |
|
Please read the error message completely. |
|
Thanks. Resolved it. 👍🏻 |
|
Hi everyone, I'm looking into this now. I think I found a bug in the LinkedIn OIDC implementation, I reached out to them and awaiting response. |
balazsorban44
added
providers
and removed
triage
Ah fantastic! Thanks for looking into this. Can confirm it's still an issue at my end. |
is this in reference to this error message?
because i'm also coming to the same conclusion |
I tried this exact same configuration in LinkedInProvider, but I am not getting user information. It's not giving any error, but I want user info like email, name etc |
|
@balazsorban44 I understand that auto discovery does not work as of today due to the mismatch in This should have worked. But @cocoBavan and @Shashwat61 and myself are all stuck at this stage with error:
On checking the details of the request for /v2/accessToken, I can see that there is a field As mentioned by @som-nitjsr, this |
@som-nitjsr Where did you get this from? It is correct, just asking for the source |
I have used c# .net core and this is how i have integrated. let me know which framework you are uisng }); |
|
also you can refer the c# code here where linkedin is connected uisng idp https://github.com/som-nitjsr/linkedidp |
|
I am using ASP.NET Core, but couldn't figure out why PKCE would result in
Furthermore, when you said: "check the latest code LinkedIn openid connect implementation" - I had the impression is that you're referring to an official or other publicly available implementation, so that's why I was asking for the source (the origin). Do you have that or did you figure this out on your own? |
|
@balazsmeszegeto you can also see that they dont support nonce claim from here https://www.linkedin.com/oauth/.well-known/openid-configuration?_l=en_US based on these i have written a solution here https://github.com/som-nitjsr/linkedidp |
|
Great job then! Still, I'd consider this as a bug in LinkedIn side, since nonce is mandatory as per OpenID C standard, and not an optional claim |
|
Anyone find the final solution, still facing same error |
|
Anyone with a workaround for this ? |
|
In case anyone comes across it, I had the same workaround in my codebase, until a different but similar error started showing: I set |
I can confirm this also worked for me. Must be a recent change in the API. |
|
Oh, it certainly is, I haven't gotten back a confirmation from them, but been asking for this for a while. Will fix it soon, now! |
|
Put up a PR with the |
|
Did anybody get LinkedIn working for NextAuth.js v5? With my current code, I get the LinkedIn login page, and a LinkedIn page where I press 'Allow' (this also shows it will redirect to localhost). After choosing Allow, my browser (now on http://localhost:3000/api/auth/error?error=Configuration) shows: Server error My logging shows: I tried many variants of this code, some resulting in different errors. But still havent seen it working. I got it working for GitHub, so I am confident that my base setup is correct. I am posting this here since this thread seems very relevant. Any help is appreciated :) |
I am in the exact same situation. |
|
Same configuration as @kafiln and @wowtah with the following error after callback from LinkedIn: Config: GitHub auth works as expected. |
|
Still facing this issue. Am I doing something wrong? As there are lots of solutions in this thread, still unsure what is the correct one. This is my LinkedIn provider and I have latest version of next-auth 4.24.7 And this is my linkedIn provider config: LinkedInProvider({
clientId: process.env.LINKEDIN_CLIENT_ID || "",
clientSecret: process.env.LINKEDIN_CLIENT_SECRET || "",
client: { token_endpoint_auth_method: "client_secret_post" },
authorization: {
url: "https://www.linkedin.com/oauth/v2/authorization",
params: { scope: "openid profile email" },
},
token: {
url: "https://www.linkedin.com/oauth/v2/accessToken",
},
userinfo: {
url: "https://api.linkedin.com/v2/userinfo",
},
wellKnown:
"https://www.linkedin.com/oauth/.well-known/openid-configuration",
issuer: "https://www.linkedin.com/oauth",
jwks_endpoint: "https://www.linkedin.com/oauth/openid/jwks",
profile(profile) {
const defaultImage =
"https://cdn-icons-png.flaticon.com/512/174/174857.png";
return {
id: profile.sub,
name: profile.name,
email: profile.email,
image: profile.picture ?? defaultImage,
};
},
}),ERROR: [next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error id_token detected in the response, you must use client.callback() instead of client.oauthCallback() {
error: RPError: id_token detected in the response, you must use client.callback() instead of client.oauthCallback()
at Client.oauthCallback (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\openid-client\lib\client.js:632:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async oAuthCallback (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\core\lib\oauth\callback.js:111:16)
at async Object.callback (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\core\routes\callback.js:52:11)
at async AuthHandler (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\core\index.js:208:28)
at async NextAuthApiHandler (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\next\index.js:22:19)
at async K (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\compiled\next-server\pages-api.runtime.dev.js:21:2946)
at async U.render (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\compiled\next-server\pages-api.runtime.dev.js:21:3827)
at async DevServer.runApi (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\next-server.js:554:9)
at async NextNodeServer.handleCatchallRenderRequest (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\next-server.js:266:37)
at async DevServer.handleRequestImpl (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\base-server.js:789:17)
at async C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\dev\next-dev-server.js:331:20
at async Span.traceAsyncFn (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\trace\trace.js:151:20)
at async DevServer.handleRequest (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\dev\next-dev-server.js:328:24)
at async invokeRender (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\lib\router-server.js:174:21) {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'linkedin',
message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()'
} |
|
I am also still getting an error: |
|
|
|
Fixed for me also in 5-beta.18. Thanks! |
This is the solution that actually works |
|
This combines all the feedback I saw above and is what works for me as of August 2024: |
this worked for me perfectly! |
|
After Adding All configuration of linkedin |
and others
Environment
System:
OS: Linux 6.2 Ubuntu 22.04.3 LTS 22.04.3 LTS (Jammy Jellyfish)
CPU: (12) x64 AMD Ryzen 5 3600X 6-Core Processor
Memory: 2.63 GB / 15.53 GB
Container: Yes
Shell: 5.1.16 - /bin/bash
Binaries:
Node: 20.4.0 - /usr/local/bin/node
npm: 9.7.2 - /usr/local/bin/npm
Reproduction URL
https://github.com/nextauthjs/next-auth-example
Describe the issue
As per the documentation from Linkedin, I've set up a new LinkedIn app, and added "Sign In with LinkedIn using OpenID Connect" as a product.
At first I had some problems when not specifying scope.
providers: [ LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET, }) ], pages: { signIn: '/register-cv' },This returns an 'unauthorized_scope_error' for r_emailaddress. Managed to fix that issue by providing scopes as per the documentation from Microsoft:
Link: https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2
Updated scopes to match the documentation from Microsoft:
LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET, authorization: { params: { scope: 'openid profile email' } }})Now getting this error:
https://next-auth.js.org/errors#oauth_callback_error unexpected iss value, expected undefined, got: https://www.linkedin.com { error: RPError: unexpected iss value, expected undefined, got: https://www.linkedin.com at Client.validateJWT (/home/deb/PhpstormProjects/cvmaker/node_modules/openid-client/lib/client.js:931:15) at Client.validateIdToken (/home/deb/PhpstormProjects/cvmaker/node_modules/openid-client/lib/client.js:766:60) at Client.callback (/home/deb/PhpstormProjects/cvmaker/node_modules/openid-client/lib/client.js:505:18) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async oAuthCallback (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/core/lib/oauth/callback.js:109:16) at async Object.callback (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/core/routes/callback.js:52:11) at async AuthHandler (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/core/index.js:208:28) at async NextAuthApiHandler (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/next/index.js:22:19) at async NextAuth._args$ (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/next/index.js:108:14) { name: 'OAuthCallbackError', code: undefined }, providerId: 'linkedin', message: 'unexpected iss value, expected undefined, got: https://www.linkedin.com'How to reproduce
1: Set up new app on Linkedin, add "Sign In with LinkedIn using OpenID Connect" as a product.
2: Add authentication provider for Linkedin:
The text was updated successfully, but these errors were encountered: