Merge pull request #2039 from d9beuD/master

XWB · web-flow · commit b926c6608265 · 2025-02-28T00:08:49.000+01:00
Add new LinkedIn OpenID resource
diff --git a/docs/2-configuring_resource_owners.md b/docs/2-configuring_resource_owners.md
@@ -60,7 +60,8 @@ hwi_oauth:
 - [itembase](resource_owners/itembase.md)
 - [Jira](resource_owners/jira.md)
 - [Keycloak](resource_owners/keycloak.md)
-- [Linkedin](resource_owners/linkedin.md)
+- [LinkedIn OpenID](resource_owners/linkedin_openid.md)
+- [LinkedIn](resource_owners/linkedin.md)
 - [Mail.ru](resource_owners/mailru.md)
 - [Odnoklassniki](resource_owners/odnoklassniki.md)
 - [Passage](resource_owners/passage.md)
diff --git a/docs/resource_owners/linkedin_openid.md b/docs/resource_owners/linkedin_openid.md
@@ -0,0 +1,27 @@
+Step 2x: Setup Linkedin OpenID
+=======================
+First you will have to register your application on Linkedin. Check out the
+documentation for more information: https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2.
+
+Next configure a resource owner of type `linkedin_openid` with appropriate `client_id`,
+`client_secret` and `scope`.
+Example of values for scope: `openid`, `profile`, `email`
+as described by [Authenticating Members](https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2?source=recommendations#authenticating-members)
+
+```yaml
+# config/packages/hwi_oauth.yaml
+
+hwi_oauth:
+    resource_owners:
+        any_name:
+            type:           linkedin_openid
+            client_id:      <client_id>
+            client_secret:  <client_secret>
+            scope:          <scope>
+```
+
+When you're done. Continue by configuring the security layer or go back to
+setup more resource owners.
+
+- [Step 2: Configuring resource owners (Facebook, GitHub, Google, Windows Live and others](../2-configuring_resource_owners.md)
+- [Step 3: Configuring the security layer](../3-configuring_the_security_layer.md).
diff --git a/src/OAuth/ResourceOwner/LinkedinOpenIdResourceOwner.php b/src/OAuth/ResourceOwner/LinkedinOpenIdResourceOwner.php
@@ -0,0 +1,94 @@
+<?php
+
+/*
+ * This file is part of the HWIOAuthBundle package.
+ *
+ * (c) Hardware Info <opensource@hardware.info>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace HWI\Bundle\OAuthBundle\OAuth\ResourceOwner;
+
+use HWI\Bundle\OAuthBundle\OAuth\Response\LinkedinOpenIdUserResponse;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+/**
+ * @author Francisco Facioni <fran6co@gmail.com>
+ * @author Joseph Bielawski <stloyd@gmail.com>
+ */
+final class LinkedinOpenIdResourceOwner extends GenericOAuth2ResourceOwner
+{
+    public const TYPE = 'linkedin_openid';
+
+    /**
+     * {@inheritdoc}
+     */
+    protected array $paths = [
+        'identifier' => 'sub',
+        'nickname' => 'email',
+        'firstname' => 'given_name',
+        'lastname' => 'family_name',
+        'email' => 'email',
+        'profilepicture' => 'picture',
+    ];
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getUserInformation(array $accessToken, array $extraParameters = [])
+    {
+        return parent::getUserInformation($accessToken, $extraParameters);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function doGetTokenRequest($url, array $parameters = [])
+    {
+        $parameters['client_id'] = $this->options['client_id'];
+        $parameters['client_secret'] = $this->options['client_secret'];
+
+        return $this->httpRequest($this->normalizeUrl($url, $parameters), null, [], 'POST');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function httpRequest($url, $content = null, array $headers = [], $method = null)
+    {
+        // LinkedIn v2 API is supposed to require Content-Type: application/json but it works without
+        // and request to get the access token doesn't seems to work with Content-Type: application/json
+        // so we don't put any Content-Type header.
+        // Skip the Content-Type header in GenericOAuth2ResourceOwner::httpRequest
+        //
+        // LinkedIn API requires to always set Content-Length in POST requests
+        if ('POST' === $method) {
+            $headers['Content-Length'] = \is_string($content) ? (string) \strlen($content) : '0';
+        }
+
+        return AbstractResourceOwner::httpRequest($url, $content, $headers, $method);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function configureOptions(OptionsResolver $resolver)
+    {
+        parent::configureOptions($resolver);
+
+        $resolver->setDefaults([
+            'scope' => 'openid profile email',
+            'authorization_url' => 'https://www.linkedin.com/oauth/v2/authorization',
+            'access_token_url' => 'https://www.linkedin.com/oauth/v2/accessToken',
+            'infos_url' => 'https://api.linkedin.com/v2/userinfo',
+
+            'user_response_class' => LinkedinOpenIdUserResponse::class,
+
+            'csrf' => true,
+
+            'use_bearer_authorization' => true,
+        ]);
+    }
+}
diff --git a/src/OAuth/Response/LinkedinOpenIdUserResponse.php b/src/OAuth/Response/LinkedinOpenIdUserResponse.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * This file is part of the HWIOAuthBundle package.
+ *
+ * (c) Hardware Info <opensource@hardware.info>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace HWI\Bundle\OAuthBundle\OAuth\Response;
+
+final class LinkedinOpenIdUserResponse extends PathUserResponse
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getFirstName(): ?string
+    {
+        return $this->getValueForPath('firstname');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getLastName(): ?string
+    {
+        return $this->getValueForPath('lastname');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getProfilePicture(): ?string
+    {
+        return $this->getValueForPath('profilepicture');
+    }
+}
diff --git a/tests/OAuth/ResourceOwner/LinkedinOpenIdResourceOwnerTest.php b/tests/OAuth/ResourceOwner/LinkedinOpenIdResourceOwnerTest.php
@@ -0,0 +1,97 @@
+<?php
+
+/*
+ * This file is part of the HWIOAuthBundle package.
+ *
+ * (c) Hardware Info <opensource@hardware.info>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace HWI\Bundle\OAuthBundle\Tests\OAuth\ResourceOwner;
+
+use HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\LinkedinOpenIdResourceOwner;
+use HWI\Bundle\OAuthBundle\OAuth\Response\AbstractUserResponse;
+use HWI\Bundle\OAuthBundle\Test\Fixtures\CustomUserResponse;
+use HWI\Bundle\OAuthBundle\Test\OAuth\ResourceOwner\GenericOAuth2ResourceOwnerTestCase;
+
+final class LinkedinOpenIdResourceOwnerTest extends GenericOAuth2ResourceOwnerTestCase
+{
+    protected string $resourceOwnerClass = LinkedinOpenIdResourceOwner::class;
+    protected string $userResponse = <<<json
+{
+    "sub": "CM9X5BxxK8",
+    "email_verified": true,
+    "name": "John Smith",
+    "locale": {
+      "country": "US",
+      "language": "en"
+    },
+    "given_name": "John",
+    "family_name": "Smith",
+    "email": "example@website.com",
+    "picture": "https://website.com/picture.jpg"
+}
+json;
+    protected array $paths = [
+        'identifier' => 'sub',
+        'nickname' => 'email',
+        'firstname' => 'given_name',
+        'lastname' => 'family_name',
+        'email' => 'email',
+        'profilepicture' => 'picture',
+    ];
+    protected bool $csrf = true;
+
+    protected string $authorizationUrlBasePart = 'http://user.auth/?test=2&response_type=code&client_id=clientid&scope=openid+profile+email';
+
+    protected int $httpClientCalls = 1;
+
+    public function testCustomResponseClass(): void
+    {
+        $class = CustomUserResponse::class;
+
+        $resourceOwner = $this->createResourceOwner(
+            ['user_response_class' => $class],
+            [],
+            [
+                $this->createMockResponse($this->userResponse, 'application/json; charset=utf-8'),
+                $this->createMockResponse($this->userResponse, 'application/json; charset=utf-8'),
+            ]
+        );
+
+        /** @var CustomUserResponse */
+        $userResponse = $resourceOwner->getUserInformation($this->tokenData);
+
+        $this->assertInstanceOf($class, $userResponse);
+        $this->assertEquals('foo666', $userResponse->getUserIdentifier());
+        $this->assertEquals('foo', $userResponse->getNickname());
+        $this->assertEquals('token', $userResponse->getAccessToken());
+        $this->assertNull($userResponse->getRefreshToken());
+        $this->assertNull($userResponse->getExpiresIn());
+    }
+
+    public function testGetUserInformation(): void
+    {
+        $resourceOwner = $this->createResourceOwner(
+            [],
+            [],
+            [
+                $this->createMockResponse($this->userResponse, 'application/json; charset=utf-8'),
+                $this->createMockResponse($this->userResponse, 'application/json; charset=utf-8'),
+            ]
+        );
+
+        /** @var AbstractUserResponse $userResponse */
+        $userResponse = $resourceOwner->getUserInformation($this->tokenData);
+
+        $this->assertEquals('CM9X5BxxK8', $userResponse->getUserIdentifier());
+        $this->assertEquals('example@website.com', $userResponse->getNickname());
+        $this->assertEquals('John', $userResponse->getFirstName());
+        $this->assertEquals('Smith', $userResponse->getLastName());
+        $this->assertEquals('token', $userResponse->getAccessToken());
+        $this->assertNull($userResponse->getRefreshToken());
+        $this->assertNull($userResponse->getExpiresIn());
+    }
+}
