search

badgateway / oauth2-client

OAuth2 client for Node and browsers
https://www.npmjs.com/package/@badgateway/oauth2-client
MIT License
269 stars 31 forks source link

Linkedin API: Missing client_secret upon redirect #141

Closed ericleib closed 2 months ago

ericleib commented 2 months ago

I am having trouble using the library to connect to the Linkedin API. I am using the authorization_code flow, and it fails upon handling the redirection.

I am calling client.authorizationCode.getToken({code, redirectUri, state}) and getting the error from the server:

OAuth2 error invalid_request. A required parameter \"client_secret\" is missing

The Linkedin documentation does mention that the client_secret (and client_id) are required: https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fconsumer%2Fcontext&tabs=HTTPS1#step-2-request-an-authorization-code

I just want to know whether the issue is with Linkedin not following the standard, or if this could be an extra option to add to the library (eg. add options like includeClientSecret to GetTokenParams?), in which case I would do a PR.

evert commented 2 months ago

Hi @ericleib , the client will send the client_secret to the token endpoint if you supplied it when creating the client.

There are however 2 ways to pass both the client_id and client_secret. The client defaults to the recommended way, but from the looks of their documentation it looks like linkedin wants them supplied in the body.

You can try setting the authenticationMethod to client_secret_post.

ericleib commented 2 months ago

Thank you for your fast answer, that did the trick !

I misunderstood the purpose of this parameter, but now it's clear. Closing the issue.

evert commented 2 months ago

I wonder if there's something I can change to the docs to make it a bit more clear. What did you think it was for?

ericleib commented 2 months ago

I think I just didn't realize that there were multiple possible authentication methods when calling the token endpoint, and I dismissed the parameter as something required for a different flow.

I was also a bit confused by this comment above clientSecret:

This is required when using the 'client_secret_basic' authenticationMethod for the client_credentials and password flows, but not authorization_code or implicit.

In my case I am using the authorization_code flow, and so initially I thought I didn't not need the clientSecret at all, even though it is needed for the last leg of the flow.

evert commented 2 months ago

Ah makes sense! Thanks for the background