firebasefirebase-authenticationopenid-connectlinkedin-api

Sign In with LinkedIn using OpenID Connect with Firebase Auth or GCP Identity Platform

Sign In with LinkedIn was deprecated on beginning of this month and can't be added as a product on new LinkedIn apps anymore. Instead Sign In with LinkedIn using OpenID Connect should be used according to the Microsoft docs.

I'm trying to set this up with a Firebase Auth (backed by GCP Identity Platform) to allow users to Login with LinkedIn on a new app. So far so good, since Firebase Auth does also support OIDC. However, there is an issue in the configuration, that I can't seem to overcome:

Firebase Auth OpenID Connect requires openid-configuration to be hosted at %issuer%/.well-known/openid-configuration (see here). However, LinkedIn OIDC hosts the config file at https://www.linkedin.com/oauth/.well-known/openid-configuration (%issuer%/oauth/.well-known/openid-configuration) which seems to make authenticate with LinkedIn incompatible with Firebase Auth and GCP Identity Plattform even though both support OIDC and therefore it seems that new LinkedIn apps cannot be used with Firebase Auth.

Any idea how to use Sign In with LinkedIn OIDC with Firebase Auth or GCP Identity Platform or anything that I'm missing to make "Login with LinkedIn" work with Firebase Auth again?

EDIT: According to the OpenID Connect specification, it seems that LinkedIn's implementation of opened-configuration is not up to the specs, since it should be hosted at %issuer%/.well-known/openid-configuration: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

Solution

  • Firebase docs say:

    This value must be a URL that, when appended with /.well-known/openid-configuration, is the location of the provider's OIDC discovery document.

    so it should be sufficient to just use https://www.linkedin.com/oauth as the issuer URL.

    When I try that however, both signInWithRedirect and signInWithPopup fail silently and redirect back to the previous page or close the popup window silently with no errors.

    Inspecting the response, I get the error INVALID_IDP_RESPONSE : `issuer` claim in OIDC discovery document does not match the issuer specified in the request.

    That's most likely indeed due to the fact that the /.well-known/openid-configuration file contains issuer: "https://www.linkedin.com" rather than issuer: "https://www.linkedin.com/oauth".