Tricky github->linkedin changes

Author: plumdog

src/config.js

@@ -5,6 +5,7 @@ module.exports = {
   LINKEDIN_API_URL: process.env.LINKEDIN_API_URL,
   LINKEDIN_LOGIN_URL: process.env.LINKEDIN_LOGIN_URL,
   PORT: parseInt(process.env.PORT, 10) || undefined,
+  LINKEDIN_SCOPE: process.env.LINKEDIN_SCOPE,
 
   // Splunk logging variables
   SPLUNK_URL: process.env.SPLUNK_URL,

src/connectors/logger.js

@@ -39,7 +39,6 @@ if (SPLUNK_URL) {
     new winston.transports.Console({
       format: winston.format.combine(
         winston.format.splat(),
-        winston.format.colorize({ all: true }),
         winston.format.simple()
       )
     })

src/connectors/web/handlers.js

@@ -15,7 +15,7 @@ module.exports = {
   jwks: (req, res) => controllers(responder(res)).jwks(),
   authorize: (req, res) =>
     responder(res).redirect(
-      `https://github.com/login/oauth/authorize?client_id=${
+      `https://www.linkedin.com/oauth/v2/authorization?client_id=${
         req.query.client_id
       }&scope=${req.query.scope}&state=${req.query.state}&response_type=${
         req.query.response_type

src/linkedin.js

@@ -1,29 +1,31 @@
 const axios = require('axios');
+const qs = require('qs');
 const {
-  GITHUB_CLIENT_ID,
-  GITHUB_CLIENT_SECRET,
+  LINKEDIN_CLIENT_ID,
+  LINKEDIN_CLIENT_SECRET,
   COGNITO_REDIRECT_URI,
-  GITHUB_API_URL,
-  GITHUB_LOGIN_URL
+  LINKEDIN_API_URL,
+  LINKEDIN_LOGIN_URL,
+  LINKEDIN_SCOPE,
 } = require('./config');
 const logger = require('./connectors/logger');
 
 const getApiEndpoints = (
-  apiBaseUrl = GITHUB_API_URL,
-  loginBaseUrl = GITHUB_LOGIN_URL
+  apiBaseUrl = LINKEDIN_API_URL,
+  loginBaseUrl = LINKEDIN_LOGIN_URL
 ) => ({
-  userDetails: `${apiBaseUrl}/user`,
-  userEmails: `${apiBaseUrl}/user/emails`,
-  oauthToken: `${loginBaseUrl}/login/oauth/access_token`,
-  oauthAuthorize: `${loginBaseUrl}/login/oauth/authorize`
+  userDetails: `${apiBaseUrl}/v2/me`,
+  userEmails: `${apiBaseUrl}/v2/clientAwareMemberHandles?q=members&projection=(elements*(primary,type,handle~))`,
+  oauthToken: `${apiBaseUrl}/oauth/v2/accessToken`,
+  oauthAuthorize: `${loginBaseUrl}/oauth/v2/authorization`,
 });
 
 const check = response => {
   logger.debug('Checking response: %j', response, {});
   if (response.data) {
     if (response.data.error) {
       throw new Error(
-        `GitHub API responded with a failure: ${response.data.error}, ${
+        `LinkedIn API responded with a failure: ${response.data.error}, ${
           response.data.error_description
         }`
       );
@@ -32,42 +34,42 @@ const check = response => {
     }
   }
   throw new Error(
-    `GitHub API responded with a failure: ${response.status} (${
+    `LinkedIn API responded with a failure: ${response.status} (${
       response.statusText
     })`
   );
 };
 
-const gitHubGet = (url, accessToken) =>
+const linkedinGet = (url, accessToken) =>
   axios({
     method: 'get',
     url,
     headers: {
-      Accept: 'application/vnd.github.v3+json',
-      Authorization: `token ${accessToken}`
+      Authorization: `Bearer ${accessToken}`
     }
   });
 
 module.exports = (apiBaseUrl, loginBaseUrl) => {
   const urls = getApiEndpoints(apiBaseUrl, loginBaseUrl || apiBaseUrl);
   return {
-    getAuthorizeUrl: (client_id, scope, state, response_type) =>
-      `${urls.oauthAuthorize}?client_id=${client_id}&scope=${encodeURIComponent(
-        scope
-      )}&state=${state}&response_type=${response_type}`,
+    getAuthorizeUrl: (client_id, scope, state, response_type) => {
+      const scopesToSend = scope.split(' ').filter(s => s !== 'openid').join(' ');
+      return `${urls.oauthAuthorize}?client_id=${client_id}&scope=${encodeURIComponent(
+        scopesToSend
+      )}&state=${state}&response_type=${response_type}&redirect_uri=${COGNITO_REDIRECT_URI}`;
+    },
     getUserDetails: accessToken =>
-      gitHubGet(urls.userDetails, accessToken).then(check),
+      linkedinGet(urls.userDetails, accessToken).then(check),
     getUserEmails: accessToken =>
-      gitHubGet(urls.userEmails, accessToken).then(check),
+      linkedinGet(urls.userEmails, accessToken).then(check),
     getToken: (code, state) => {
       const data = {
         // OAuth required fields
         grant_type: 'authorization_code',
         redirect_uri: COGNITO_REDIRECT_URI,
-        client_id: GITHUB_CLIENT_ID,
-        // GitHub Specific
+        client_id: LINKEDIN_CLIENT_ID,
         response_type: 'code',
-        client_secret: GITHUB_CLIENT_SECRET,
+        client_secret: LINKEDIN_CLIENT_SECRET,
         code,
         // State may not be present, so we conditionally include it
         ...(state && { state })
@@ -79,15 +81,22 @@ module.exports = (apiBaseUrl, loginBaseUrl) => {
         data,
         {}
       );
-      return axios({
-        method: 'post',
-        url: urls.oauthToken,
-        headers: {
-          Accept: 'application/json',
-          'Content-Type': 'application/json'
-        },
-        data
-      }).then(check);
+      return axios.post(
+        urls.oauthToken,
+        qs.stringify(data),
+        {
+          headers: {
+            Accept: 'application/json',
+            // 'Content-Type': 'application/json'
+          },
+        }
+      ).then(check)
+        .then(data => {
+          // Because LinkedIn doesn't return the scopes
+          data.scope = LINKEDIN_SCOPE;
+          data.token_type = 'bearer';
+          return data;
+        })
     }
   };
 };

src/openid.js

@@ -1,46 +1,40 @@
 const logger = require('./connectors/logger');
 const { NumericDate } = require('./helpers');
 const crypto = require('./crypto');
-const github = require('./linkedin');
+const linkedin = require('./linkedin');
 
 const getJwks = () => ({ keys: [crypto.getPublicKey()] });
 
 const getUserInfo = accessToken =>
   Promise.all([
-    github()
+    linkedin()
       .getUserDetails(accessToken)
       .then(userDetails => {
         logger.debug('Fetched user details: %j', userDetails, {});
-        // Here we map the github user response to the standard claims from
+        // Here we map the linkedin user response to the standard claims from
         // OpenID. The mapping was constructed by following
-        // https://developer.github.com/v3/users/
-        // and http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+        // https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api?context=linkedin/consumer/context
+        // and
+        // https://docs.microsoft.com/en-us/linkedin/shared/references/v2/profile/lite-profile
         const claims = {
           sub: `${userDetails.id}`, // OpenID requires a string
-          name: userDetails.name,
-          preferred_username: userDetails.login,
-          profile: userDetails.html_url,
-          picture: userDetails.avatar_url,
-          website: userDetails.blog,
-          updated_at: NumericDate(
-            // OpenID requires the seconds since epoch in UTC
-            new Date(Date.parse(userDetails.updated_at))
-          )
+          name: `${userDetails.firstName.localized} ${userDetails.lastName.localized}`,
         };
         logger.debug('Resolved claims: %j', claims, {});
         return claims;
       }),
-    github()
+    linkedin()
       .getUserEmails(accessToken)
       .then(userEmails => {
         logger.debug('Fetched user emails: %j', userEmails, {});
-        const primaryEmail = userEmails.find(email => email.primary);
+        const primaryEmail = userEmails.elements.find(email => email.primary && (email.type === 'EMAIL'));
         if (primaryEmail === undefined) {
           throw new Error('User did not have a primary email address');
         }
+        const emailAddress = primaryEmail['handle~'].emailAddress;
         const claims = {
-          email: primaryEmail.email,
-          email_verified: primaryEmail.verified
+          email: emailAddress,
+          email_verified: true,
         };
         logger.debug('Resolved claims: %j', claims, {});
         return claims;
@@ -55,23 +49,16 @@ const getUserInfo = accessToken =>
   });
 
 const getAuthorizeUrl = (client_id, scope, state, response_type) =>
-  github().getAuthorizeUrl(client_id, scope, state, response_type);
+  linkedin().getAuthorizeUrl(client_id, scope, state, response_type);
 
 const getTokens = (code, state, host) =>
-  github()
+  linkedin()
     .getToken(code, state)
-    .then(githubToken => {
-      logger.debug('Got token: %s', githubToken, {});
-      // GitHub returns scopes separated by commas
-      // But OAuth wants them to be spaces
-      // https://tools.ietf.org/html/rfc6749#section-5.1
-      // Also, we need to add openid as a scope,
-      // since GitHub will have stripped it
-      const scope = `openid ${githubToken.scope.replace(',', ' ')}`;
-
+    .then(linkedinToken => {
+      logger.debug('Got token: %s', linkedinToken, {});
       // ** JWT ID Token required fields **
       // iss - issuer https url
-      // aud - audience that this token is valid for (GITHUB_CLIENT_ID)
+      // aud - audience that this token is valid for (LINKEDIN_CLIENT_ID)
       // sub - subject identifier - must be unique
       // ** Also required, but provided by jsonwebtoken **
       // exp - expiry time for the id token (seconds since epoch in UTC)
@@ -87,8 +74,7 @@ const getTokens = (code, state, host) =>
 
         const idToken = crypto.makeIdToken(payload, host);
         const tokenResponse = {
-          ...githubToken,
-          scope,
+          ...linkedinToken,
           id_token: idToken
         };
 
@@ -128,15 +114,8 @@ const getConfigFor = host => ({
   claims_supported: [
     'sub',
     'name',
-    'preferred_username',
-    'profile',
-    'picture',
-    'website',
     'email',
     'email_verified',
-    'updated_at',
-    'iss',
-    'aud'
   ]
 });