feat(connector): add linkedin connector (#7032)

Author: wangsijie

.changeset/thin-paws-yell.md

@@ -0,0 +1,5 @@
+---
+"@logto/connector-linkedin": minor
+---
+
+add LinkedIn social connector

packages/connectors/connector-linkedin/README.md

@@ -0,0 +1,61 @@
+# LinkedIn connector
+
+The official Logto connector for LinkedIn social sign-in.
+
+**Table of contents**
+- [LinkedIn connector](#linkedin-connector)
+  - [Get started](#get-started)
+  - [Setup a LinkedIn app](#setup-a-linkedin-app)
+  - [Configure your connector](#configure-your-connector)
+    - [Config types](#config-types)
+  - [Test LinkedIn connector](#test-linkedin-connector)
+  - [Reference](#reference)
+
+## Get started
+
+The LinkedIn connector enables end-users to sign in to your application using their own LinkedIn accounts via the LinkedIn OAuth 2.0 authentication protocol.
+
+## Setup a LinkedIn app
+
+Go to the [LinkedIn Developers](https://www.linkedin.com/developers) and sign in with your LinkedIn account. If you don’t have an account, you can register for one.
+
+Then, create an app.
+
+**Step 1:** Fill in the App Details.
+
+Complete the form and create the app.
+
+**Step 2:** Setup callback URLs.
+
+Go to App details page and find "Auth" tab, "OAuth 2.0" section and find the field "Authorized redirect URLs for your app".
+
+In our case, this will be `${your_logto_endpoint}/callback/${connector_id}`. e.g. `https://foo.logto.app/callback/${connector_id}`. The `connector_id` can be found on the top bar of the Logto Admin Console connector details page.
+
+**Step 3:** Add the product.
+
+Go to "Products" tab and add the product "Sign In with LinkedIn using OpenID Connect".
+
+## Configure your connector
+
+In your Logto connector configuration, fill out the following fields with the values obtained from your App's "Auth" tab, "Application credentials" section:
+
+- **clientId:** Your App's Client ID.
+- **clientSecret:** Your App's Primary Client Secret.
+
+`scope` is a space-delimited list of OIDC scopes. If not provided, the default scope is `openid profile email`.
+
+### Config types
+
+| Name         | Type   |
+| ------------ | ------ |
+| clientId     | string |
+| clientSecret | string |
+| scope        | string |
+
+## Test LinkedIn connector
+
+That's it! The LinkedIn connector should now be available for end-users to sign in with their LinkedIn accounts. Don't forget to [Enable the connector in the sign-in experience](https://docs.logto.io/docs/recipes/configure-connectors/social-connector/enable-social-sign-in/).
+
+## Reference
+
+- [Sign in with LinkedIn](https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin)

packages/connectors/connector-linkedin/logo.svg

@@ -0,0 +1,70 @@
+{
+  "name": "@logto/connector-linkedin",
+  "version": "0.0.0",
+  "description": "LinkedIn web connector implementation.",
+  "author": "Silverhand Inc. <contact@silverhand.io>",
+  "dependencies": {
+    "@logto/connector-kit": "workspace:^4.0.0",
+    "@silverhand/essentials": "^2.9.1",
+    "ky": "^1.2.3",
+    "query-string": "^9.0.0",
+    "snakecase-keys": "^8.0.1",
+    "zod": "^3.23.8"
+  },
+  "main": "./lib/index.js",
+  "module": "./lib/index.js",
+  "exports": "./lib/index.js",
+  "license": "MPL-2.0",
+  "type": "module",
+  "files": [
+    "lib",
+    "docs",
+    "logo.svg",
+    "logo-dark.svg"
+  ],
+  "scripts": {
+    "precommit": "lint-staged",
+    "check": "tsc --noEmit",
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "eslint --ext .ts src",
+    "lint:report": "pnpm lint --format json --output-file report.json",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
+    "prepublishOnly": "pnpm build"
+  },
+  "engines": {
+    "node": "^20.9.0"
+  },
+  "eslintConfig": {
+    "extends": "@silverhand",
+    "settings": {
+      "import/core-modules": [
+        "@silverhand/essentials",
+        "got",
+        "nock",
+        "snakecase-keys",
+        "zod"
+      ]
+    }
+  },
+  "prettier": "@silverhand/eslint-config/.prettierrc",
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@silverhand/eslint-config": "6.0.1",
+    "@silverhand/ts-config": "6.0.0",
+    "@types/node": "^20.11.20",
+    "@types/supertest": "^6.0.2",
+    "@vitest/coverage-v8": "^2.1.8",
+    "eslint": "^8.56.0",
+    "lint-staged": "^15.0.2",
+    "nock": "14.0.0-beta.15",
+    "prettier": "^3.0.0",
+    "supertest": "^7.0.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.5.3",
+    "vitest": "^2.1.8"
+  }
+}

packages/connectors/connector-linkedin/package.json

@@ -0,0 +1,54 @@
+import type { ConnectorMetadata } from '@logto/connector-kit';
+import { ConnectorPlatform, ConnectorConfigFormItemType } from '@logto/connector-kit';
+
+// See https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin
+export const authorizationEndpoint = 'https://www.linkedin.com/oauth/v2/authorization';
+export const defaultScope = 'openid profile email';
+export const accessTokenEndpoint = 'https://www.linkedin.com/oauth/v2/accessToken';
+export const userInfoEndpoint = 'https://api.linkedin.com/v2/userinfo';
+
+export const defaultMetadata: ConnectorMetadata = {
+  id: 'linkedin-universal',
+  target: 'linkedin',
+  platform: ConnectorPlatform.Universal,
+  name: {
+    en: 'LinkedIn',
+    'zh-CN': 'LinkedIn',
+    'tr-TR': 'LinkedIn',
+    ko: 'LinkedIn',
+  },
+  logo: './logo.svg',
+  logoDark: null,
+  description: {
+    en: 'LinkedIn is a social media platform for professional networking and information sharing.',
+    'zh-CN': 'LinkedIn是一个职业社交和信息分享的社交媒体平台。',
+    'tr-TR':
+      'LinkedIn, profesyonel ağ oluşturma ve bilgi paylaşma için bir sosyal medya platformudur.',
+    ko: 'LinkedIn은 전문 네트워킹과 정보 공유를 위한 소셜 미디어 플랫폼입니다.',
+  },
+  readme: './README.md',
+  formItems: [
+    {
+      key: 'clientId',
+      type: ConnectorConfigFormItemType.Text,
+      label: 'Client ID',
+      required: true,
+    },
+    {
+      key: 'clientSecret',
+      type: ConnectorConfigFormItemType.Text,
+      label: 'Client Secret',
+      required: true,
+    },
+    {
+      key: 'scope',
+      type: ConnectorConfigFormItemType.Text,
+      label: 'Scope',
+      required: false,
+      description:
+        "The `scope` determines permissions granted by the user's authorization. If you are not sure what to enter, do not worry, just leave it blank.",
+    },
+  ],
+};
+
+export const defaultTimeout = 5000;

packages/connectors/connector-linkedin/src/constant.ts

@@ -0,0 +1,98 @@
+import nock from 'nock';
+
+import { accessTokenEndpoint, authorizationEndpoint, userInfoEndpoint } from './constant.js';
+import createConnector, { getAccessToken } from './index.js';
+import { mockedConfig } from './mock.js';
+
+const getConfig = vi.fn().mockResolvedValue(mockedConfig);
+const setSession = vi.fn();
+const getSession = vi.fn().mockResolvedValue({
+  redirectUri: 'http://localhost:3000/callback',
+});
+
+describe('getAuthorizationUri', () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('should get a valid uri by redirectUri and state', async () => {
+    const connector = await createConnector({ getConfig });
+    const authorizationUri = await connector.getAuthorizationUri(
+      {
+        state: 'some_state',
+        redirectUri: 'http://localhost:3000/callback',
+        connectorId: 'some_connector_id',
+        connectorFactoryId: 'some_connector_factory_id',
+        jti: 'some_jti',
+        headers: {},
+      },
+      setSession
+    );
+    expect(setSession).toHaveBeenCalledWith({
+      redirectUri: 'http://localhost:3000/callback',
+    });
+    expect(authorizationUri).toEqual(
+      `${authorizationEndpoint}?response_type=code&client_id=%3Cclient-id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&scope=openid+profile+email&state=some_state`
+    );
+  });
+});
+
+describe('getAccessToken', () => {
+  afterEach(() => {
+    nock.cleanAll();
+    vi.clearAllMocks();
+  });
+
+  it('should get an accessToken by exchanging with code', async () => {
+    nock(accessTokenEndpoint).post('').reply(200, {
+      access_token: 'access_token',
+    });
+    const { access_token } = await getAccessToken(mockedConfig, 'code', 'redirectUri');
+    expect(access_token).toEqual('access_token');
+  });
+});
+
+describe('getUserInfo', () => {
+  beforeEach(() => {
+    nock(accessTokenEndpoint).post('').query(true).reply(200, {
+      access_token: 'access_token',
+    });
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+    vi.clearAllMocks();
+  });
+
+  it('should get valid SocialUserInfo', async () => {
+    nock(userInfoEndpoint).get('').reply(200, {
+      sub: '1',
+      name: 'monalisa',
+      email: 'monalisa@example.com',
+      picture: 'https://example.com/picture.jpg',
+    });
+    const connector = await createConnector({ getConfig });
+    const socialUserInfo = await connector.getUserInfo(
+      { code: 'code', redirectUri: 'http://localhost:3000/callback' },
+      getSession
+    );
+    expect(socialUserInfo).toStrictEqual({
+      id: '1',
+      name: 'monalisa',
+      email: 'monalisa@example.com',
+      picture: 'https://example.com/picture.jpg',
+      rawData: {
+        sub: '1',
+        name: 'monalisa',
+        email: 'monalisa@example.com',
+        picture: 'https://example.com/picture.jpg',
+      },
+    });
+  });
+
+  it('throws unrecognized error', async () => {
+    nock(userInfoEndpoint).get('').reply(500);
+    const connector = await createConnector({ getConfig });
+    await expect(connector.getUserInfo({ code: 'code' }, vi.fn())).rejects.toThrow();
+  });
+});

packages/connectors/connector-linkedin/src/index.test.ts

@@ -0,0 +1,146 @@
+import { conditional } from '@silverhand/essentials';
+
+import {
+  ConnectorError,
+  ConnectorErrorCodes,
+  validateConfig,
+  ConnectorType,
+  jsonGuard,
+} from '@logto/connector-kit';
+import type {
+  GetAuthorizationUri,
+  GetUserInfo,
+  SocialConnector,
+  CreateConnector,
+  GetConnectorConfig,
+} from '@logto/connector-kit';
+import ky, { HTTPError } from 'ky';
+
+import {
+  authorizationEndpoint,
+  accessTokenEndpoint,
+  defaultMetadata,
+  defaultTimeout,
+  defaultScope,
+  userInfoEndpoint,
+} from './constant.js';
+import type { LinkedInConfig } from './types.js';
+import {
+  linkedInConfigGuard,
+  userInfoResponseGuard,
+  authResponseGuard,
+  accessTokenResponseGuard,
+} from './types.js';
+
+const getAuthorizationUri =
+  (getConfig: GetConnectorConfig): GetAuthorizationUri =>
+  async ({ state, redirectUri }, setSession) => {
+    const config = await getConfig(defaultMetadata.id);
+    validateConfig(config, linkedInConfigGuard);
+
+    await setSession({ redirectUri });
+
+    const queryParams = new URLSearchParams({
+      response_type: 'code',
+      client_id: config.clientId,
+      redirect_uri: redirectUri,
+      scope: config.scope ?? defaultScope,
+      state,
+    });
+
+    return `${authorizationEndpoint}?${queryParams.toString()}`;
+  };
+
+export const getAccessToken = async (config: LinkedInConfig, code: string, redirectUri: string) => {
+  const response = await ky
+    .post(accessTokenEndpoint, {
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        code,
+        redirect_uri: redirectUri,
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+      }).toString(),
+      timeout: defaultTimeout,
+    })
+    .json();
+
+  return accessTokenResponseGuard.parse(response);
+};
+
+const getUserInfo =
+  (getConfig: GetConnectorConfig): GetUserInfo =>
+  async (data, getSession) => {
+    const config = await getConfig(defaultMetadata.id);
+    validateConfig(config, linkedInConfigGuard);
+
+    const authResponseResult = authResponseGuard.safeParse(data);
+
+    if (!authResponseResult.success) {
+      throw new ConnectorError(ConnectorErrorCodes.General, JSON.stringify(data));
+    }
+
+    const { code } = authResponseResult.data;
+    const { redirectUri } = await getSession();
+
+    if (!redirectUri) {
+      throw new ConnectorError(ConnectorErrorCodes.General, {
+        message: 'Cannot find `redirectUri` from connector session.',
+      });
+    }
+
+    try {
+      const { access_token } = await getAccessToken(config, code, redirectUri);
+
+      const userInfo = await ky
+        .get(userInfoEndpoint, {
+          headers: {
+            Authorization: `Bearer ${access_token}`,
+          },
+          timeout: defaultTimeout,
+        })
+        .json();
+      const userInfoResult = userInfoResponseGuard.safeParse(userInfo);
+
+      if (!userInfoResult.success) {
+        throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, userInfoResult.error);
+      }
+
+      const { sub, name, email, picture } = userInfoResult.data;
+
+      return {
+        id: sub,
+        name: conditional(name),
+        email: conditional(email),
+        picture: conditional(picture),
+        rawData: jsonGuard.parse(userInfo),
+      };
+    } catch (error: unknown) {
+      if (error instanceof HTTPError) {
+        const { status, body: rawBody } = error.response;
+
+        if (status === 401) {
+          throw new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid);
+        }
+
+        throw new ConnectorError(ConnectorErrorCodes.General, JSON.stringify(rawBody));
+      }
+
+      throw error;
+    }
+  };
+
+const createLinkedInConnector: CreateConnector<SocialConnector> = async ({ getConfig }) => {
+  return {
+    metadata: defaultMetadata,
+    type: ConnectorType.Social,
+    configGuard: linkedInConfigGuard,
+    getAuthorizationUri: getAuthorizationUri(getConfig),
+    getUserInfo: getUserInfo(getConfig),
+  };
+};
+
+export default createLinkedInConnector;

packages/connectors/connector-linkedin/src/index.ts

@@ -0,0 +1,4 @@
+export const mockedConfig = {
+  clientId: '<client-id>',
+  clientSecret: '<client-secret>',
+};

packages/connectors/connector-linkedin/src/mock.ts

@@ -0,0 +1,26 @@
+import { z } from 'zod';
+
+export const linkedInConfigGuard = z.object({
+  clientId: z.string(),
+  clientSecret: z.string(),
+  scope: z.string().optional(),
+});
+
+export type LinkedInConfig = z.infer<typeof linkedInConfigGuard>;
+
+export const userInfoResponseGuard = z.object({
+  sub: z.string(),
+  name: z.string().nullish(),
+  email: z.string().nullish(),
+  picture: z.string().nullish(),
+});
+
+export type UserInfoResponse = z.infer<typeof userInfoResponseGuard>;
+
+export const authResponseGuard = z.object({
+  code: z.string(),
+});
+
+export const accessTokenResponseGuard = z.object({
+  access_token: z.string(),
+});

packages/connectors/connector-linkedin/src/types.ts

@@ -0,0 +1,12 @@
+import crypto from 'node:crypto';
+
+export const generateCodeVerifier = () => {
+  const buffer = crypto.randomBytes(32);
+  return buffer.toString('base64url');
+};
+
+export const generateCodeChallenge = (verifier: string) => {
+  const hash = crypto.createHash('sha256');
+  hash.update(verifier);
+  return hash.digest('base64url');
+};