Skip to content
Snippets Groups Projects
Unverified Commit df12c07c authored by Patrick's avatar Patrick Committed by GitHub
Browse files

add config template entry for LinkedIn OIDC (#78) 


* add config template entry for LinkedIn OIDC

* update LinkedIn docs and add deprecation warnings

---------

Co-authored-by: default avatargary_windham <windhamg@gmail.com>
parent aeb8e1a4
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/LINKEDIN.md
+ 12
31
View file @ df12c07c
...@@ -3,48 +3,29 @@ ...@@ -3,48 +3,29 @@
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* **Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [LinkedIn as authsource](#linkedin-as-authsource) - [LinkedIn as authsource](#linkedin-as-authsource)
- [Enabling OIDC in your LinkedIn App](#enabling-oidc-in-your-linkedin-app)
- [Usage](#usage) - [Usage](#usage)
- [Migrarting from OAuth v1 authlinkedin](#migrarting-from-oauth-v1-authlinkedin)
<!-- END doctoc generated TOC please keep comment here to allow auto update --> <!-- END doctoc generated TOC please keep comment here to allow auto update -->
# LinkedIn as authsource # LinkedIn as authsource
LinkedIn recommends using OAuth2 and their v2 apis. Their v1 apis and The `LinkedInV2Auth` authsource has been deprecated, and we now recommend the use of OIDC, which is enabled in the LinkedIn developer portal via their [Sign In with LinkedIn V2](https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2#what-is-openid-connect) product. Use of OIDC facilitates the use of standard configuration patterns and claims endpoints.
OAuth1 endpoints are being shutdown. LinkedIn v2 apis return data in a
more complex format (json keys change based on language) and require ## Enabling OIDC in your LinkedIn App
additional API calls to get an email address. You need to use the
`authoauth2:LinkedInV2Auth` authsource since LinkedIn doesn't conform OIDC can be enabled in your existing LinkedIn App by simply adding **Sign In with LinkedIn v2** to your app's products. See the [Cirrus Identity Blog article](https://blog.cirrusidentity.com/enabling-linkedins-oidc-authentication) for details.
the expected OIDC/OAuth pattern.
# Usage # Usage
```php ```php
'linkedin' => [ 'linkedin' => [
'authoauth2:LinkedInV2Auth', 'authoauth2:OAuth2',
'template' => 'LinkedInOIDC',
'clientId' => $apiKey, 'clientId' => $apiKey,
'clientSecret' => $apiSecret, 'clientSecret' => $apiSecret,
// Adjust the scopes: default is to request email and liteprofile // Adjust the scopes: default is to request 'openid' (required),
// 'scopes' => ['r_liteprofile'], // 'profile' and 'email'
], // 'scopes' => ['openid', 'profile'],
``` ]
# Migrating from OAuth v1 authlinkedin
The `authlinkedin` module bundled with most versions of SSP uses
deprecated OAuth v1 and v1 API endpoints. To migrate to the new
LinkedIn API you will need to add a [redirect URI to your linkedin
application](https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/consumer/context). The
redirect URI is
https://hostname/SSP_PATH/module.php/authoauth2/linkback.php
You will then need to change your `authsource` configuration to match the example usage above.
On your IdP side you may need to use `linkedin2name` from this module rather than `authlinkedin`.
```php
// Convert linkedin names to ldap friendly names
10 => array('class' => 'core:AttributeMap', 'authoauth2:linkedin2name'),
``` ```
There are some minor changes in user experience and consent which are outlined in [our blog post](https://blog.cirrusidentity.com/linkedin-user-interaction-changes).
lib/Auth/Source/LinkedInV2Auth.php
+ 4
0
View file @ df12c07c
<?php <?php
/**
* DEPRECATED -- see docs/LINKEDIN.md
*/
/** /**
* Created by PhpStorm. * Created by PhpStorm.
* User: patrick * User: patrick
......
lib/ConfigTemplate.php
+ 16
0
View file @ df12c07c
...@@ -86,6 +86,7 @@ class ConfigTemplate ...@@ -86,6 +86,7 @@ class ConfigTemplate
'label' => 'linkedin' 'label' => 'linkedin'
]; ];
// Deprecated
public const LinkedInV2 = [ public const LinkedInV2 = [
'authoauth2:LinkedInV2Auth', 'authoauth2:LinkedInV2Auth',
// *** LinkedIn Endpoints *** // *** LinkedIn Endpoints ***
...@@ -105,6 +106,21 @@ class ConfigTemplate ...@@ -105,6 +106,21 @@ class ConfigTemplate
'label' => 'linkedin' 'label' => 'linkedin'
]; ];
//https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2
public const LinkedInOIDC = [
'authoauth2:OAuth2',
// *** LinkedIn oidc Endpoints ***
'urlAuthorize' => 'https://www.linkedin.com/oauth/v2/authorization',
'urlAccessToken' => 'https://www.linkedin.com/oauth/v2/accessToken',
'urlResourceOwnerDetails' => 'https://api.linkedin.com/v2/userinfo',
'attributePrefix' => 'oidc.',
'scopes' => ['openid', 'email', 'profile'],
'scopeSeparator' => ' ',
// Improve log lines
'label' => 'linkedin'
];
//https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc //https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
//https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration //https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
// WARNING: The OIDC user resource endpoint only returns sub, which is a targeted id. // WARNING: The OIDC user resource endpoint only returns sub, which is a targeted id.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment