discourse/lib/auth/linkedin_oidc_authenticator.rb
Ted Johansson 9e31135eca
FEATURE: Allow users to sign in using LinkedIn OpenID Connect ()
LinkedIn has grandfathered its old OAuth2 provider. This can only be used by existing apps. New apps have to use the new OIDC provider.

This PR adds a linkedin_oidc provider to core. This will exist alongside the discourse-linkedin-auth plugin, which will be kept for those still using the deprecated provider.
2024-04-19 18:47:30 +08:00

68 lines
1.7 KiB
Ruby

# frozen_string_literal: true
class Auth::LinkedInOidcAuthenticator < Auth::ManagedAuthenticator
class LinkedInOidc < OmniAuth::Strategies::OAuth2
option :name, "linkedin_oidc"
option :client_options,
{
site: "https://api.linkedin.com",
authorize_url: "https://www.linkedin.com/oauth/v2/authorization?response_type=code",
token_url: "https://www.linkedin.com/oauth/v2/accessToken",
}
option :scope, "openid profile email"
uid { raw_info["sub"] }
info do
{
email: raw_info["email"],
first_name: raw_info["given_name"],
last_name: raw_info["family_name"],
image: raw_info["picture"],
}
end
extra { { "raw_info" => raw_info } }
def callback_url
full_host + script_name + callback_path
end
def raw_info
@raw_info ||= access_token.get(profile_endpoint).parsed
end
private
def profile_endpoint
"/v2/userinfo"
end
end
def name
"linkedin_oidc"
end
def enabled?
SiteSetting.enable_linkedin_oidc_logins
end
def register_middleware(omniauth)
omniauth.provider LinkedInOidc,
setup:
lambda { |env|
strategy = env["omniauth.strategy"]
strategy.options[:client_id] = SiteSetting.linkedin_oidc_client_id
strategy.options[:client_secret] = SiteSetting.linkedin_oidc_client_secret
}
end
# LinkedIn doesn't let users login to websites unless they verify their e-mail
# address, so whatever e-mail we get from LinkedIn must be verified.
def primary_email_verified?(_auth_token)
true
end
end