LinkedIn Authentication
This guide explains how to set up LinkedIn OAuth authentication for the Zero Kelvin application.
Prerequisites
- A LinkedIn account
- Access to LinkedIn Developers
Step 1: Create a LinkedIn App
- Go to LinkedIn Developers
- Click Create App
- Fill in the app details:
- App name: Zero Kelvin
- LinkedIn Page: Select or create a LinkedIn Company Page for your app
- Privacy policy URL: Your privacy policy URL
- App logo: Upload your app logo
- Check the legal agreement and click Create app
Step 2: Request API Products
- In your app dashboard, go to the Products tab
- Request access to Sign In with LinkedIn using OpenID Connect
- Review and agree to the terms
- Wait for approval (usually instant for OpenID Connect)
Step 3: Configure OAuth 2.0 Settings
- Go to the Auth tab
- Under OAuth 2.0 settings, add Authorized redirect URLs:
http://localhost:3000/api/auth/callback/linkedin(for development)- Your production callback URL (e.g.,
https://example.com/api/auth/callback/linkedin)
- Click Update
Step 4: Get Your App Credentials
- On the Auth tab, you'll find:
- Client ID: Your app's Client ID
- Primary Client Secret: Click the eye icon to reveal (or generate if none exists)
- Copy both values
Step 5: Configure Environment Variables
Add the following to your .env.local file:
AUTH_LINKEDIN_ID="your-client-id"
AUTH_LINKEDIN_SECRET="your-client-secret"
Step 6: Test the Integration
- Start the development server:
nx dev web
- Navigate to
http://localhost:3000 - Click the Sign In button
- Select Continue with LinkedIn
OpenID Connect Scopes
The default LinkedIn provider uses OpenID Connect with these scopes:
openid- Required for OpenID Connectprofile- User's name and profile pictureemail- User's email address
To customize scopes:
LinkedIn({
clientId: process.env.AUTH_LINKEDIN_ID,
clientSecret: process.env.AUTH_LINKEDIN_SECRET,
authorization: {
params: {
scope: "openid profile email",
},
},
}),
User Profile Data
LinkedIn returns the following user data:
{
sub: "string", // Unique LinkedIn member ID
name: "string", // Full name
given_name: "string", // First name
family_name: "string", // Last name
picture: "string", // Profile picture URL
email: "string", // Email address
email_verified: boolean,
}
Company Page Requirement
LinkedIn requires your app to be associated with a LinkedIn Company Page. If you don't have one:
- Go to LinkedIn Company Pages
- Create a new company page
- Return to the app creation process and select your new page
Development vs Production
Development Mode
- Your app works in development mode by default
- Anyone with a LinkedIn account can test it
Verification (Optional)
For enhanced features and higher rate limits:
- Go to Settings > Verify
- Follow the verification process
- This is optional for basic sign-in functionality
Troubleshooting
"Invalid redirect_uri"
- The redirect URI must exactly match what's configured in LinkedIn
- Check for trailing slashes
- Ensure the protocol matches (http for localhost, https for production)
"Invalid client_id or client_secret"
- Double-check your credentials
- Client secrets can expire - generate a new one if needed
"Application is restricted"
- Your app might need additional API products
- Request "Sign In with LinkedIn using OpenID Connect" in the Products tab
User email not returned
- Ensure the
emailscope is requested - Some LinkedIn accounts may not have a verified email
- Handle cases where email is
null
Profile picture not available
- Not all LinkedIn users have a profile picture
- The
picturefield may benullor an empty string - Fall back to a default avatar or Gravatar
Security Best Practices
- Protect your Client Secret: Never expose it in client-side code
- Validate the ID Token: Auth.js handles this automatically
- Use HTTPS in production: Required for OAuth callbacks
- Regularly rotate secrets: Generate new client secrets periodically
Rate Limits
LinkedIn API has rate limits:
- Application-level: 100,000 requests per day
- Member-level: 500 requests per day per member
For most authentication use cases, you won't hit these limits.