Auth provider for Linkedin not working #8831
Comments
andersengenolsen
added
bug
SOLVEDAfter some debugging I managed to solve this. In case anyone else stumbles across this, since it's not well documented: If you're using Linkedin API V2, you do need to add some custom parameters to the Linkedin provider. The original issue was that the expected iss was undefined. Simply add issuer to OAuthConfig for the Linkedin provider:
This triggers a new error: 'jwks_uri must be configured on the issuer'. Add jwks_endpoint to OAuthConfig:
Again, this triggers a new error, where nextauth complains that the profile id is missing. Linkedin API V2 use "sub" not "id". Solved by overriding the profile function in OAuthConfig: Complete working provider for Linkedin using Linkedin API V2: |
|
This issue should be opened again, because every new app using SignIn with Linked will run into this issue (as I did). Reason: Microsoft has deprecated the old API as of August 1, 2023!
I'd suggest to keep the current Deprecated API:
New API
|
|
Hi, Fair point. Closed since I managed to solve it by setting some custom parameters, although I used quite some time on it. Reopening. Either way: Did you manage to get it to work using the provided solution? |
|
Yes, your solution works great. It saved me a lot of time digging deeper myself. :) |
|
Is it still working for you guys? Even with the snippet posted, I'm still getting an error: (I've double checked the client_id and client_secret multiple times already.. |
It's working. Can you please provide the complete code of [...nextauth.js]? Remember to remove ids and secrets. |
|
Thanks for you reply :) My code: |
|
I'm using |
God bless, this is the right solution and docs should be updated |
|
@andersengenolsen |
Hi, The sub parameter is an unique user identifier issued "within" the ID token (JWT) from Linkedin API V2 after authenticating. It's simply the user ID. Documentation available here: https://learn.microsoft.com/en-us/linkedin/consumer/ Also a bit out of scope, since we're discussing Nextauth.. :) |
Thanks for you response Basically they have restricted most of the api to a normal developer i believe? |
|
I'm still receiving Edit: This is working for me but I'm still receiving OAuthCallbackError intermittently. If you want to use it with an adapter you will need to increase the access_token default column length because Linkedin's access_token has more than 255 characters. |
Hi @jormaj , did you find a workaround for this ? I'm facing the same error.. |
|
Has anyone resolved this? I'm also getting the invalid_client error and can't work out why. |
|
I tried the same code in my route.ts inside app/api/auth/[...nextauth] folder: yet still I am running into this error |
|
Please read the error message completely. |
|
Thanks. Resolved it. 👍🏻 |
|
Hi everyone, I'm looking into this now. I think I found a bug in the LinkedIn OIDC implementation, I reached out to them and awaiting response. |
balazsorban44
added
providers
and removed
triage
Ah fantastic! Thanks for looking into this. Can confirm it's still an issue at my end. |
is this in reference to this error message?
because i'm also coming to the same conclusion |
I tried this exact same configuration in LinkedInProvider, but I am not getting user information. It's not giving any error, but I want user info like email, name etc |
|
@alxwest not really. I’m not sure if @balazsorban44 is still working with LinkedIn for a fix. The other option option would be for someone to work on the conform() method but that’s beyond my current knowledge so, I guess we will have to dig into the issue and hack around Auth.JS to work, even with LinkedIn not being OIDC spec compliant. |
|
Putting logs inside node module files and patching things, I managed to get this far. But, it fails with the Error: TODO: Handle OIDC response body error. So, I believe the token returned is not correct and needs to fixed by Linked In? |
stuck at this point too |
|
This has worked for me With auth scopes And my application is not verified yet |
@paschalidi I tried with those settings. Still doesn't work. May be you created this app a few months back? Could you please post the Products page? Mine looks like this. 
|
|
I only created it yesterday. 
|
|
@paschalidi Good for you. I even created a new one and tried it. Still the same error. Maybe the version of the next Auth or some other libraries has something to do with it? |
|
check the latest code LinkedIn openid connect implementation. currently, there are not support the code_verfier parameter and claim dose not return noce. |
|
@balazsorban44 I understand that auto discovery does not work as of today due to the mismatch in This should have worked. But @cocoBavan and @Shashwat61 and myself are all stuck at this stage with error:
On checking the details of the request for /v2/accessToken, I can see that there is a field As mentioned by @som-nitjsr, this |
@som-nitjsr Where did you get this from? It is correct, just asking for the source |
I have used c# .net core and this is how i have integrated. let me know which framework you are uisng }); |
|
also you can refer the c# code here where linkedin is connected uisng idp https://github.com/som-nitjsr/linkedidp |
|
I am using ASP.NET Core, but couldn't figure out why PKCE would result in
Furthermore, when you said: "check the latest code LinkedIn openid connect implementation" - I had the impression is that you're referring to an official or other publicly available implementation, so that's why I was asking for the source (the origin). Do you have that or did you figure this out on your own? |
|
@balazsmeszegeto you can also see that they dont support nonce claim from here https://www.linkedin.com/oauth/.well-known/openid-configuration?_l=en_US based on these i have written a solution here https://github.com/som-nitjsr/linkedidp |
|
Great job then! Still, I'd consider this as a bug in LinkedIn side, since nonce is mandatory as per OpenID C standard, and not an optional claim |
|
Anyone find the final solution, still facing same error |
|
Anyone with a workaround for this ? |
|
In case anyone comes across it, I had the same workaround in my codebase, until a different but similar error started showing: I set |
I can confirm this also worked for me. Must be a recent change in the API. |
|
Oh, it certainly is, I haven't gotten back a confirmation from them, but been asking for this for a while. Will fix it soon, now! |
|
Put up a PR with the |
|
Did anybody get LinkedIn working for NextAuth.js v5? With my current code, I get the LinkedIn login page, and a LinkedIn page where I press 'Allow' (this also shows it will redirect to localhost). After choosing Allow, my browser (now on http://localhost:3000/api/auth/error?error=Configuration) shows: Server error My logging shows: I tried many variants of this code, some resulting in different errors. But still havent seen it working. I got it working for GitHub, so I am confident that my base setup is correct. I am posting this here since this thread seems very relevant. Any help is appreciated :) |
I am in the exact same situation. |
|
Same configuration as @kafiln and @wowtah with the following error after callback from LinkedIn: Config: GitHub auth works as expected. |
|
Still facing this issue. Am I doing something wrong? As there are lots of solutions in this thread, still unsure what is the correct one. This is my LinkedIn provider and I have latest version of next-auth 4.24.7 And this is my linkedIn provider config: LinkedInProvider({
clientId: process.env.LINKEDIN_CLIENT_ID || "",
clientSecret: process.env.LINKEDIN_CLIENT_SECRET || "",
client: { token_endpoint_auth_method: "client_secret_post" },
authorization: {
url: "https://www.linkedin.com/oauth/v2/authorization",
params: { scope: "openid profile email" },
},
token: {
url: "https://www.linkedin.com/oauth/v2/accessToken",
},
userinfo: {
url: "https://api.linkedin.com/v2/userinfo",
},
wellKnown:
"https://www.linkedin.com/oauth/.well-known/openid-configuration",
issuer: "https://www.linkedin.com/oauth",
jwks_endpoint: "https://www.linkedin.com/oauth/openid/jwks",
profile(profile) {
const defaultImage =
"https://cdn-icons-png.flaticon.com/512/174/174857.png";
return {
id: profile.sub,
name: profile.name,
email: profile.email,
image: profile.picture ?? defaultImage,
};
},
}),ERROR: [next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error id_token detected in the response, you must use client.callback() instead of client.oauthCallback() {
error: RPError: id_token detected in the response, you must use client.callback() instead of client.oauthCallback()
at Client.oauthCallback (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\openid-client\lib\client.js:632:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async oAuthCallback (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\core\lib\oauth\callback.js:111:16)
at async Object.callback (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\core\routes\callback.js:52:11)
at async AuthHandler (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\core\index.js:208:28)
at async NextAuthApiHandler (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next-auth\next\index.js:22:19)
at async K (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\compiled\next-server\pages-api.runtime.dev.js:21:2946)
at async U.render (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\compiled\next-server\pages-api.runtime.dev.js:21:3827)
at async DevServer.runApi (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\next-server.js:554:9)
at async NextNodeServer.handleCatchallRenderRequest (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\next-server.js:266:37)
at async DevServer.handleRequestImpl (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\base-server.js:789:17)
at async C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\dev\next-dev-server.js:331:20
at async Span.traceAsyncFn (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\trace\trace.js:151:20)
at async DevServer.handleRequest (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\dev\next-dev-server.js:328:24)
at async invokeRender (C:\Users\Lenovo\Documents\new.ontourism.academy\node_modules\next\dist\server\lib\router-server.js:174:21) {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'linkedin',
message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()'
} |
|
I am also still getting an error: |
and others
Environment
System:
OS: Linux 6.2 Ubuntu 22.04.3 LTS 22.04.3 LTS (Jammy Jellyfish)
CPU: (12) x64 AMD Ryzen 5 3600X 6-Core Processor
Memory: 2.63 GB / 15.53 GB
Container: Yes
Shell: 5.1.16 - /bin/bash
Binaries:
Node: 20.4.0 - /usr/local/bin/node
npm: 9.7.2 - /usr/local/bin/npm
Reproduction URL
https://github.com/nextauthjs/next-auth-example
Describe the issue
As per the documentation from Linkedin, I've set up a new LinkedIn app, and added "Sign In with LinkedIn using OpenID Connect" as a product.
At first I had some problems when not specifying scope.
providers: [ LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET, }) ], pages: { signIn: '/register-cv' },This returns an 'unauthorized_scope_error' for r_emailaddress. Managed to fix that issue by providing scopes as per the documentation from Microsoft:
Link: https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2
Updated scopes to match the documentation from Microsoft:
LinkedIn({ clientId: process.env.LINKEDIN_ID, clientSecret: process.env.LINKEDIN_SECRET, authorization: { params: { scope: 'openid profile email' } }})Now getting this error:
https://next-auth.js.org/errors#oauth_callback_error unexpected iss value, expected undefined, got: https://www.linkedin.com { error: RPError: unexpected iss value, expected undefined, got: https://www.linkedin.com at Client.validateJWT (/home/deb/PhpstormProjects/cvmaker/node_modules/openid-client/lib/client.js:931:15) at Client.validateIdToken (/home/deb/PhpstormProjects/cvmaker/node_modules/openid-client/lib/client.js:766:60) at Client.callback (/home/deb/PhpstormProjects/cvmaker/node_modules/openid-client/lib/client.js:505:18) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async oAuthCallback (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/core/lib/oauth/callback.js:109:16) at async Object.callback (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/core/routes/callback.js:52:11) at async AuthHandler (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/core/index.js:208:28) at async NextAuthApiHandler (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/next/index.js:22:19) at async NextAuth._args$ (/home/deb/PhpstormProjects/cvmaker/node_modules/next-auth/next/index.js:108:14) { name: 'OAuthCallbackError', code: undefined }, providerId: 'linkedin', message: 'unexpected iss value, expected undefined, got: https://www.linkedin.com'How to reproduce
1: Set up new app on Linkedin, add "Sign In with LinkedIn using OpenID Connect" as a product.
2: Add authentication provider for Linkedin:
The text was updated successfully, but these errors were encountered: