Feature: Login with LinkedIn about fusionauth-issues HOT 25 CLOSED

A patch is coming out today that will allow this use case to work.

from fusionauth-issues.

This should work for you again in version 1.17.2

from fusionauth-issues.

Can you please update the LinkedIn changes also?

from fusionauth-issues.

@joydeb28 did you try the above configuration?

from fusionauth-issues.

Yes. I am getting "A request to the OpenID Connect Token API has failed. Unable to complete this login request." at the time of login.

from fusionauth-issues.

If you enable debug on the OpenID Connect IdP configuration what is in the debug event log? (System > Event Log)

from fusionauth-issues.

Event Logs:
Request to the [https://www.linkedin.com/oauth/v2/accessToken] endpoint failed. Status code [400]

Error response is
{
"error" : "invalid_request",
"error_description" : "A required parameter "client_secret" is missing"
}

from fusionauth-issues.

I think LinkedIn is looking for the client_secret in the request body.
https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/consumer/context

So in your OpenID Connect IdP config, change Client Authentication method from "HTTP basic authentication" to "Request body".

from fusionauth-issues.

I changed the Client authentication method to "client_secret_post" and it worked. I got the token.
But getting the below error.
{
"elements" : [ {
"handle~" : {
"emailAddress" : "[email protected]"
},
"handle" : "urn:li:emailAddress:655618093"
} ]
}
6/16/2020 06:31:03 PM GMT The identity provider was unable to reconcile the email address. An email address is required to complete this request.

from fusionauth-issues.

I added the reconcile lambda as you mentioned. But the above error I am getting now.

from fusionauth-issues.

Dump the contents of the incoming jwt to see what is in it, and then adjust your lambda accordingly.

Example:

function reconcile(user, registration, jwt) {
  console.debug(jwt, null, 2);
  //user.email = jwt.elements[0]['handle~'].emailAddress;
}

It could be the example Lambda above is not longer correct.

from fusionauth-issues.

In the Event logs, I am getting only this.

{
  "elements" : [ {
    "handle~" : {
      "emailAddress" : "[email protected]"
    },
    "handle" : "urn:li:emailAddress:655618093"
  } ]
}

from fusionauth-issues.

Ok, so the lambda looks correct. This "hack" used to work, I think a change we made in 1.17.0 may have broken that.

If I am correct, it will work on 1.16.0, but not 1.17.0.

We'd either have to fully support a LinkedIn login option, or add another configuration option to allow a reconcile lambda to override the user.email field.

from fusionauth-issues.

For now any suggestion to make it ready?

from fusionauth-issues.

No work around at the moment.

We've discuss removing this limitation on the lambda, and allowing it to set the user.email field and just add a warning to the Lambda configuration indicating the risks.

from fusionauth-issues.

Thanks for this quick fix.

from fusionauth-issues.

@joydeb28 let me know if it works for you, there may be an edge case yet where this may not work as you'd like.

from fusionauth-issues.

@robotdan
Not working, still the same problem.

from fusionauth-issues.

@joydeb28 once version 1.17.3 is available, you should be able to make LinkedIn work again. I updated the comments for the workaround in the main description above.

The configuration will have a new field for Email claim which will default to email. For LinkedIn you'll be able to set it to elements/0/handle~0/emailAddress.

from fusionauth-issues.

Thanks @robotdan
It's working, now I am getting the email.
I set scope=r_liteprofile%20r_emailaddress%20w_member_social but I'm not getting the profile details.

from fusionauth-issues.

@robotdan
Can you please help me to get the full profile?

from fusionauth-issues.

You'll have to use the Microsoft documentation to identify the correct scope or URL to use.
https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/consumer/context

from fusionauth-issues.

@robotdan I'm trying to add login with LinkedIn, the above settings will only query for email address since the userinfo endpoint is https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~)) and not for profile information such as first name and last name but for profile information the userinfo endpoint should be set as https://api.linkedin.com/v2/me , how to basically query for endpoint which will return both the profile information and email address. The above configuration only adds email address.

https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api

from fusionauth-issues.

Hi @robotdan did you get a chance to review this

from fusionauth-issues.

It's happening... :-)

from fusionauth-issues.