gotrue: "unauthorized_scope_error" for LinkedIn - Current LinkedIn OAuth method is deprecated: migrate to OIDC
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
When attempting to log in with LinkedIn on a new Supabase project, I get this error:
Here is the URL of the error page:
https://api.linkedin.com/oauth/v2/authorization?client_id=78l5s566gf425m&redirect_to=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F%3Ferror%3Dunauthorized_scope_error%26error_description%3DScope%2B%2526quot%253Br_emailaddress%2526quot%253B%2Bis%2Bnot%2Bauthorized%2Bfor%2Byour%2Bapplication%2F&redirect_uri=https%3A%2F%2Fdbtdfqgdpjdmqjuozvfn.supabase.co%2Fauth%2Fv1%2Fcallback&response_type=code&scope=r_emailaddress+r_liteprofile&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTE3NjAxNTIsInNpdGVfdXJsIjoiaHR0cHM6Ly9taW5kZnVsZGF0YWFpLmNvbS9hcHAiLCJpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImZ1bmN0aW9uX2hvb2tzIjpudWxsLCJwcm92aWRlciI6ImxpbmtlZGluIiwicmVmZXJyZXIiOiJodHRwczovL21pbmRmdWxkYXRhYWkuY29tL2FwcCIsImZsb3dfc3RhdGVfaWQiOiIifQ.HzKX4BvpLoNIycBomDeJPDohliL2ANnDZkR40hO2dHo
There does seem to be an error embedded in the URL: ‘unauthorized_scope_error: scope “r_emailaddress” is not authorized for your application.’
After some digging, I found that r_emailaddress is the scope you get through the now deprecated “Sign In with LinkedIn” product. From https://www.linkedin.com/pulse/how-get-signin-linkedin-work-taric-andrade/,
However, as Sign In with LinkedIn has been deprecated since Aug 1 2023, (deprecation notice), this option is no longer available to new app developers.
My app has the following products enabled with the following scopes:
To Reproduce
- Follow the steps for LinkedIn Auth from Log In with LinkedIn with a new LinkedIn app
- Request the scopes for “Sign In With LinkedIn using OpenID Connect”
- Attempt to log in with LinkedIn
- See error
Expected behavior
We should be able to log in with the scopes available to app developers.
Screenshots
See Additional Context.
System information
- OS: [e.g. macOS, Windows]
- Browser (if applies) [e.g. chrome, safari]
- Version of supabase-js: [e.g. 6.0.2]
- Version of Node.js: [e.g. 10.10.0]
Additional context
The code to login was pulled from the Log In with LinkedIn docs:
const { data, error } = await supabaseClient.auth.signInWithOAuth({
provider,
});
Supabase seems to automatically attempt to request these scopes even though they are now impossible to get. https://github.com/supabase/gotrue/blob/4ff1fe058cfab418c445808004091e89dcf87124/internal/api/provider/linkedin.go#L78
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 13
- Comments: 22 (6 by maintainers)
Commits related to this issue
- feat: add new Linkedin OIDC due to deprecated scopes for new linkedin applications (#1248) ## What kind of change does this PR introduce? This PR introduces a new linkedin provider to address issu... — committed to supabase/gotrue by josmo 9 months ago
- fix: use linkedin oidc endpoint (#1254) ## What kind of change does this PR introduce? * Add OIDC support for the linkedin provider as highlighted [here](https://learn.microsoft.com/en-us/linkedin/... — committed to supabase/gotrue by kangmingtay 9 months ago
hey everyone, @josmo has kindly contributed a fix for this and we’re just reviewed and merged the changes! we’re looking at a rough timeline of 1-2 weeks before this is rolled out to all projects on the platform. There are bunch of backward compatibility checks we need to iron out before this goes out to prevent existing apps using the old linkedin API from breaking.
thanks so much for everyone’s patience!
Hi @kangmingtay any eta on this being rolled out now it’s been 2 weeks?
Generally switching to OIDC shouldn’t be too hard. Some community help would be appreciated as the team won’t be able to pick this up too quickly.
hey @samducker and @meera and everyone else here, we’ve released the linkedin oidc provider to prod already - please check out the updated docs here
with supabase-js v2.38.2, you should be able to do the following to use the new linkedin provider