0

Implementation- Enable OAuth2.0 flow between LinkedIn & Forgerock AM where FR AM acts as a client and LinkedIn is the OAuth provider.

Problem- We are integrating "LinkedIn Sign" into one of our apps using OAuth2.0 with Forgerock AM as a client. Right now, Forgerock, which is acting as a client, passes PKCE parameters in the authorization request endpoint to LinkedIn (code challenge & code challenge method) and we receive the authorization code along with the state parameter. But subsequent request to retrieve access token fails with PKCE error.

Key info from the logs-

"ERROR: Exception in processing the tree
org.forgerock.openam.auth.node.api.NodeProcessException: Unable to get UserInfo details from provider
at org.forgerock.openam.auth.nodes.oauth.AbstractSocialAuthLoginNode.getUserInfo(AbstractSocialAuthLoginNode.java:338)

Caused by: org.forgerock.oauth.OAuthException: Unable to process request. {"error":"access_denied","error_description":"Not enough permissions to access Native PKCE protocol"}
at org.forgerock.oauth.clients.oauth2.OAuth2Client.lambda$mapToJsonValue$0(OAuth2Client.java:126)
at org.forgerock.util.CloseSilentlyFunction.apply(CloseSilentlyFunction.java:53)
at org.forgerock.util.CloseSilentlyFunction.apply(CloseSilentlyFunction.java:29)
at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)
at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:536)
at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:577)
at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:258)
at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:208)
at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)"

LinkedIn API reference & OAuth2.0 - https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/consumer/context

P.S. Forgerock AM when integrated with Google using OAuth2.0 [PKCE] is working absolutely fine.

Any help will be much appreciated. Thank you.

4

1 回答 1

0

根据微软文档:https : //docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow-native 您需要联系linkedin团队为您启用PKCE,然后是PKCE的授权URL也不同 - https://www.linkedin.com/oauth/native-pkce/authorization

于 2020-11-24T22:49:30.203 回答