Contrib.social

Unauthorized Scope Error

Open on Drupal.org β†’
Created on 29 October 2024, 6 months ago

Problem/Motivation

The exact issue is I'm getting an "Unauthorized Scope Error" even after adding the "Sign In with LinkedIn using OpenID connect" product to my app. If I try to login with LinkedIn from drupal I get:

https://domain/user/login/linkedin/callback?error=unauthorized_scope_err...

unauthorized_scope_error Scope "r_emailaddress" is not authorized for your application

From my reading around and my limited understanding, it seems like LinkedIn has 2 different "Sign in with LinkedIn" products. One that's now obsolete, and no longer available for people creating new Apps (but still available for people using it), and one that's the new one called "Sign In with LinkedIn using OpenID Connect". Curiously I've searched, with no luck, for other issues experiencing my error, but I have to assume not many people have created a new LinkedIn app lately and perhaps still using the old obsolete one?

What I'm getting is LinkedIn changed the scope strings, see https://stackoverflow.com/a/77342451 who confirms the issues I'm having.

Here are the Scopes I have listed on my LinkedIn app's page:

And definitely `r_emailaddress` or `r_liteprofile` are not there, which are the scopes this module is requesting.

It seems to me like this should be `email` and `profile` for the new apps.

I thought I'd be clever and manually changed the URL scopes to be `email` and `profile` instead, and the login form loads. But after following through the login, I get a different error after getting redirected to Drupal (presumably the login worked on LinkedIn side):

The website encountered an unexpected error. Try again later.

League\OAuth2\Client\Provider\Exception\LinkedInAccessDeniedException: Not enough permissions to access: me.GET.NO_VERSION in League\OAuth2\Client\Provider\LinkedIn->checkResponseUnauthorized() (line 183 of /var/www/html/vendor/league/oauth2-linkedin/src/Provider/LinkedIn.php).

League\OAuth2\Client\Provider\LinkedIn->checkResponse(Object, Array) (Line: 726)
League\OAuth2\Client\Provider\AbstractProvider->getParsedResponse(Object) (Line: 882)
League\OAuth2\Client\Provider\AbstractProvider->fetchResourceOwnerDetails(Object) (Line: 865)
League\OAuth2\Client\Provider\AbstractProvider->getResourceOwner(Object) (Line: 59)
Drupal\social_auth_linkedin\LinkedInAuthManager->getUserInfo() (Line: 306)
Drupal\social_auth\Controller\OAuth2ControllerBase->processCallback() (Line: 197)
Drupal\social_auth\Controller\OAuth2ControllerBase->callback(Object)
call_user_func_array(Array, Array) (Line: 123)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 638)
Drupal\Core\Render\Renderer->executeInRenderContext(Object, Object) (Line: 121)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext(Array, Array) (Line: 97)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 181)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 76)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 53)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 28)
Drupal\Core\StackMiddleware\ContentLength->handle(Object, 1, 1) (Line: 32)
Drupal\big_pipe\StackMiddleware\ContentLength->handle(Object, 1, 1) (Line: 106)
Drupal\page_cache\StackMiddleware\PageCache->pass(Object, 1, 1) (Line: 85)
Drupal\page_cache\StackMiddleware\PageCache->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 36)
Drupal\Core\StackMiddleware\AjaxPageState->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\StackedHttpKernel->handle(Object, 1, 1) (Line: 741)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)

Steps to reproduce

1. Install the module
2. Create a new LinkedIn app
3. Add "Sign in with LinkedIn using OpenID Connect" product to your app
4. Configure Social Auth LinkedIn on drupal (add client id/secret)
5. Try to login

Expected result:
/user/login/linkedin redirects to LinkedIn and loads the login form, and after the user is authenticated on LinkedIn, the user is redirected back to Drupal and logged in to Drupal on redirect.

Actual result:
/user/login/linkedin redirects to a LinkedIn page that says "Bummer, something went wrong" and redirects back to Drupal after 5 seconds. Drupal throws an error after redirection:

BadMethodCallException: Required parameter not passed: "code" in League\OAuth2\Client\Grant\AbstractGrant->checkRequiredParameter() (line 35 of /var/www/html/vendor/league/oauth2-client/src/Tool/RequiredParameterTrait.php).

Proposed resolution

Perhaps some kind of radio/select to select the "Sign in with LinkedIn" product "version"?

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

4.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom Baysaa

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Baysaa
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States wells Seattle, WA

    Thanks for flagging! I'm not able to take the time to address this at the moment, but would be happy to review and help with a PR.

    I think you're right that a toggle would be nice here so we don't have to cut a breaking version.

    The Social Auth Google module provides an example of adding additional config in the Social Auth module ecosystem: https://git.drupalcode.org/project/social_auth_google/-/blob/4.0.x/src/F...

    Then I think it would just be a matter of evaluating that config when setting the default scopes. I'm not sure if other changes will need to be made, though. https://git.drupalcode.org/project/social_auth_linkedin/-/blob/4.0.x/src...

  • First commit to issue fork.
  • Comment 17 days ago β†’
    πŸ‡³πŸ‡±Netherlands peem83

    The issue is that the "Sign In with LinkedIn" (OpenID Connect product) uses different scopes compared to the Community Management API, which provides more detailed information about users. To address this, I’ve created a patch that fixes the connection to OpenID and enables login via LinkedIn accounts.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024