mirror of
https://github.com/discourse/discourse.git
synced 2025-01-12 02:13:47 +08:00
9e31135eca
LinkedIn has grandfathered its old OAuth2 provider. This can only be used by existing apps. New apps have to use the new OIDC provider. This PR adds a linkedin_oidc provider to core. This will exist alongside the discourse-linkedin-auth plugin, which will be kept for those still using the deprecated provider.
68 lines
1.7 KiB
Ruby
68 lines
1.7 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class Auth::LinkedInOidcAuthenticator < Auth::ManagedAuthenticator
|
|
class LinkedInOidc < OmniAuth::Strategies::OAuth2
|
|
option :name, "linkedin_oidc"
|
|
|
|
option :client_options,
|
|
{
|
|
site: "https://api.linkedin.com",
|
|
authorize_url: "https://www.linkedin.com/oauth/v2/authorization?response_type=code",
|
|
token_url: "https://www.linkedin.com/oauth/v2/accessToken",
|
|
}
|
|
|
|
option :scope, "openid profile email"
|
|
|
|
uid { raw_info["sub"] }
|
|
|
|
info do
|
|
{
|
|
email: raw_info["email"],
|
|
first_name: raw_info["given_name"],
|
|
last_name: raw_info["family_name"],
|
|
image: raw_info["picture"],
|
|
}
|
|
end
|
|
|
|
extra { { "raw_info" => raw_info } }
|
|
|
|
def callback_url
|
|
full_host + script_name + callback_path
|
|
end
|
|
|
|
def raw_info
|
|
@raw_info ||= access_token.get(profile_endpoint).parsed
|
|
end
|
|
|
|
private
|
|
|
|
def profile_endpoint
|
|
"/v2/userinfo"
|
|
end
|
|
end
|
|
|
|
def name
|
|
"linkedin_oidc"
|
|
end
|
|
|
|
def enabled?
|
|
SiteSetting.enable_linkedin_oidc_logins
|
|
end
|
|
|
|
def register_middleware(omniauth)
|
|
omniauth.provider LinkedInOidc,
|
|
setup:
|
|
lambda { |env|
|
|
strategy = env["omniauth.strategy"]
|
|
strategy.options[:client_id] = SiteSetting.linkedin_oidc_client_id
|
|
strategy.options[:client_secret] = SiteSetting.linkedin_oidc_client_secret
|
|
}
|
|
end
|
|
|
|
# LinkedIn doesn't let users login to websites unless they verify their e-mail
|
|
# address, so whatever e-mail we get from LinkedIn must be verified.
|
|
def primary_email_verified?(_auth_token)
|
|
true
|
|
end
|
|
end
|