Sign In with LinkedIn using OpenID Connect
Overview
We are now offering a way for your apps to authenticate members using OpenID Connect.
What is OpenID Connect
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0, enabling applications to authenticate members and obtain lite profile information about the member. OIDC will simplify the partner integration onboarding experience and eliminate dependencies on making additional API calls to find who the authenticated member is.
Note
Keep in mind Sign In with LinkedIn using OpenID Connect does not verify user identities and should not be marketed as such.
Getting Started
Authenticating Members
New members logging in to your service for the first time will need to follow the Authenticating with OAuth 2.0 Guide. When requesting the authorization code in Step 2 of the OAuth 2.0 Guide, make sure you use the OpenID scope openid to get the ID Token. We are also introducing new scopes profile and email.
| Permission Name | Description |
|---|---|
| openid | Required to indicate the application wants to use OIDC to authenticate the member. |
| profile | Required to retrieve the member's lite profile including their id, name, and profile picture. |
| Required to retrieve the member's email address. |
After successful authentication, you will receive the member's access token and ID token.
If your application does not have these permissions provisioned, you can request access through the Developer Portal. Select your app from My Apps, navigate to the Products tab, and request the Sign in with LinkedIn using OpenID Connect product.
Retrieving Member Profiles Using ID Tokens
The primary extension that OIDC adds to OAuth 2.0 is enabling members to be Authenticated using the ID Token data structure. The ID Token is a security token that contains Claims about the Authentication of a member by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT). With OIDC, you are now able to extract the member details from the ID Token.
ID Token Payload
| Permission Name | Description |
|---|---|
| iss | The authorization server’s Identifier of the response https://www.linkedin.com |
| sub | User identifier |
| aud | client_id of Relying party/caller Application guarantees user authentication for itself. |
| iat | ID Token issue time |
| exp | This is the expiration time of the token. The relying party processing this token should reject it once the expiration time is reached. |
Validating ID Tokens
ID Tokens can be validated using the metadata provided by discovery document which contains OAuth endpoints, public keys and claims.
{
"issuer": "https://www.linkedin.com",
"authorization_endpoint": "https://www.linkedin.com/oauth/v2/authorization",
"token_endpoint": "https://www.linkedin.com/oauth/v2/accessToken",
"userinfo_endpoint": "https://api.linkedin.com/v2/userinfo",
"jwks_uri": "https://www.linkedin.com/oauth/openid/jwks",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"profile",
"email"
],
"claims_supported": [
"iss",
"aud",
"iat",
"exp",
"sub",
"name",
"given_name",
"family_name",
"picture",
"email",
"email_verified",
"locale"
]
}
JWKS_URI provided in the discovery document, can be used for signature verification.
API Request to retreive member details
In addition to the JWT received, you can also call userinfo endpoint to retrieve the member details.
GET https://api.linkedin.com/v2/userinfo
Authorization: Bearer <access token>
Response Body Schema
| Field Name | Description | Format |
|---|---|---|
| sub | Subject Identifier | Text |
| name | Full name | Text |
| given_name | Member's first name | Text |
| family_name | Member's last name | Text |
| picture | Member's profile picture URL | Text |
| locale | Member's locale | Text |
| Member's primary e-mail address. | Text | |
| email_verified | Indicator that Member's primary email has been verified | Boolean |
Sample API Response
{
"sub": "782bbtaQ",
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"picture": "https://media.licdn-ei.com/dms/image/C5F03AQHqK8v7tB1HCQ/profile-displayphoto-shrink_100_100/0/",
"locale": "en-US",
"email": "doe@email.com",
"email_verified": true
}
With the member's profile information successfully retrieved, the sign-in process is now complete and your member can continue to enjoy their personalized experience with your site or application.
Additional Resources
Image Resources
Download official Sign In with LinkedIn button images in multiple sizes and formats from the LinkedIn Brand Resources archive for use within your site or application.
Rate Limits
| Throttle Type | Daily Request Limit (UTC) |
|---|---|
| Member | 500 Requests |
| Application | 100,000 Requests |
Feedback
Bald verfügbar: Im Laufe des Jahres 2024 werden wir GitHub-Tickets als Feedbackmechanismus für Inhalte auslaufen lassen und es durch ein neues Feedbacksystem ersetzen. Weitere Informationen finden Sie unter: https://aka.ms/ContentUserFeedback.
Einreichen und Feedback anzeigen für