"unauthorized_scope_error" for LinkedIn - Current LinkedIn OAuth method is deprecated: migrate to OIDC #1216
Comments
|
I'm having the same issue |
|
Generally switching to OIDC shouldn't be too hard. Some community help would be appreciated as the team won't be able to pick this up too quickly. |
|
We have run into the same issue, r_emailaddress has been changed to email for us. Needs to be checked out more though. |
|
I also run to the issue, when creating a new app in Linkedln, the Oauth no longer work, get error like Uncaught ReferenceError: require is not defined and the api.linkdln.com/li/track 404 not found. |
|
I've tried seeing what happens if we modify just the scopes added by gotrue to see if it was just a quick fix to change the scopes "r_emailaddress" and "r_liteprofile" to openid, profile and email. This sends us to the correct linkedin login page with the successful consent page before successfully redirecting us to the correct supabase callback. The callback is called with the query parameters "code" and "state". |
@hf Is the Apple provider a good starting point to draw inspiration from? Are there any pitfalls to be aware of here? |
I have the exact same experience currently. Seems like the oauthScopes on lines 78-79 should be changed? https://github.com/supabase/gotrue/blob/master/internal/api/provider/linkedin.go#L16 |
|
Can you test it with the scopes in the LinkedIn docs after changing it, @alexcraig043? {
"issuer": "https://www.linkedin.com",
"authorization_endpoint": "https://www.linkedin.com/oauth/v2/authorization",
"token_endpoint": "https://www.linkedin.com/oauth/v2/accessToken",
"userinfo_endpoint": "https://api.linkedin.com/v2/userinfo",
"jwks_uri": "https://www.linkedin.com/oauth/openid/jwks",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"profile",
"email"
],
"claims_supported": [
"iss",
"aud",
"iat",
"exp",
"sub",
"name",
"given_name",
"family_name",
"picture",
"email",
"email_verified",
"locale"
]
} |
|
Hello, While I'm not well-versed in Go development, I've made an attempt to address the issue. I kindly request a Go developer to review my proposed solution located at: https://github.com/tobias-istvan/gotrue/tree/fix/linkedin-auth. I tested the solution locally and successfully managed to log in using GoTrueJs. I was able to obtain an access code; however, I encountered a challenge when attempting to proceed with further testing. Could someone with expertise in this area please assess and validate the provided solution? Changed file: https://github.com/tobias-istvan/gotrue/blob/fix/linkedin-auth/internal/api/provider/linkedin.go Thank you. |
Bro I've been struggling to set this up in Next Auth. I'm trying to authenticate users with LinkedIn. I just can't figure it out. Any help please? I get the message: 'jwks_uri must be configured on the issuer' |
|
Hey everyone, the current linkedin oauth provider in gotrue will only work for linkedin oauth apps created before this API change - we haven't started on the new implementation for OIDC yet due to the lack of bandwidth. As @hf mentioned (#1216 (comment)), some community help here would be appreciated! I see that @tobias-istvan has kindly contributed a PR for this but it can't modify the existing linkedin oauth provider since it's a breaking change as existing oauth apps rely on it. A new linkedin provider needs to be created - you can consider naming it |
|
@kangmingtay would the fix be as simple as making a separate |
|
@alexcraig043 unfortunately, no. There are some other places where changes need to be made like adding a case for the new provider here. Ideally, you would also want to be able to run gotrue locally and test out the new provider implementation to be sure that it works before making the PR. |
|
I decided to skip using Supabase for logging in with LinkedIn. There's a very clear page on how to login with LinkedIn on one of their documentation pages. It helped me a lot so far: Authorization Code Flow (3-legged OAuth) |
|
Having the same problem as well and so is Auth0. Who is going to fix it first? |
… applications (#1248) ## What kind of change does this PR introduce? This PR introduces a new linkedin provider to address issues related to the current LinkedIn provider no longer being available for new applications. ## What is the current behavior? LinkedIn applications created after 1st of August experience difficulties while attempting to log in with GoTrue due to incorrect scope requests. Relevant issue: #1216 (comment) Relevant initial fix however would lead to breaking existing apps - #1232 ## What is the new behavior? This PR aims to rectify the issue by adding a new provider with the updated OAuth scopes. Specifically, the scopes openid, email, and profile will be utilized. Additionally, the method of collecting profile information is updated, employing the /v2/userinfo API endpoint. Visual changes: No visual changes. ## Additional context I've taken the initial updates from PR #1232 into the new providers while also adding the relevant settings and provider implementations. I don't know much in terms of this library so would love to get additional feedback. I validated that the - http://localhost:9999/authorize?provider=linkedin-oidc workflow worked locally and had the relevant information in the Claim --------- Co-authored-by: Kang Ming <kang.ming1996@gmail.com>
|
Need a fix please 🙏🏻 |
## What kind of change does this PR introduce? * Add OIDC support for the linkedin provider as highlighted [here](https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2#validating-id-tokens) * Addresses #1216
|
hey everyone, @josmo has kindly contributed a fix for this and we're just reviewed and merged the changes! we're looking at a rough timeline of 1-2 weeks before this is rolled out to all projects on the platform. There are bunch of backward compatibility checks we need to iron out before this goes out to prevent existing apps using the old linkedin API from breaking. thanks so much for everyone's patience! |
|
Hi @kangmingtay any eta on this being rolled out now it's been 2 weeks? |
|
Any ETA on on this issue? |
|
hey @samducker and @meera and everyone else here, we've released the linkedin oidc provider to prod already - please check out the updated docs here with supabase-js v2.38.2, you should be able to do the following to use the new linkedin provider |
|
@kangmingtay Hello! I'm using Unsupported provider: Provider linkedin_oidc could not be found My URL looks like: |
|
I encountered the following error: {'code': 400, 'msg': 'Unsupported provider: Provider linkedin_oidc could not be found'}. Is there a solution available? |
Bug report
Describe the bug
When attempting to log in with LinkedIn on a new Supabase project, I get this error:
Here is the URL of the error page:
There does seem to be an error embedded in the URL: 'unauthorized_scope_error: scope "r_emailaddress" is not authorized for your application.'
After some digging, I found that
r_emailaddressis the scope you get through the now deprecated "Sign In with LinkedIn" product. From https://www.linkedin.com/pulse/how-get-signin-linkedin-work-taric-andrade/,However, as Sign In with LinkedIn has been deprecated since Aug 1 2023, (deprecation notice), this option is no longer available to new app developers.
My app has the following products enabled with the following scopes:
To Reproduce
Expected behavior
We should be able to log in with the scopes available to app developers.
Screenshots
See Additional Context.
System information
Additional context
The code to login was pulled from the Log In with LinkedIn docs:
Supabase seems to automatically attempt to request these scopes even though they are now impossible to get. https://github.com/supabase/gotrue/blob/4ff1fe058cfab418c445808004091e89dcf87124/internal/api/provider/linkedin.go#L78
The text was updated successfully, but these errors were encountered: