fix: decouple LinkedIn personal profile OAuth scopes from organization scopes #1134
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n scopes Personal LinkedIn integration was blocked for self-hosters because OAuth requested organization scopes (w_organization_social, etc.) that require special LinkedIn API access. LinkedIn rejects the entire OAuth request if any scope is unauthorized. - Reduce LinkedinProvider scopes to personal-only: openid, profile, w_member_social - LinkedinPageProvider retains full org scopes via override - Add documentation comments explaining the scope separation Fixes gitroomhq#844
|
@dredozubov is attempting to deploy a commit to the Listinai Team on Vercel. A member of the Team first needs to authorize it. |
3 tasks
Author
|
Tested this fix in combination with #1136 (bearer token fix for profile picture download) using a Successfully added LinkedIn Channel to self-hosted Postiz instance. Both fixes work correctly together. |
Features: - JWT-based authentication using Ghost Admin API keys - Post creation with HTML content support - Featured image upload - Tags support - Custom post status (published/draft/scheduled) - Custom slug support Files added: - ghost.provider.ts: Main provider implementation - ghost.dto.ts: Post settings validation - ghost.png: Platform icon (50x50)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix
Why was this change needed?
Self-hosted Postiz users cannot connect their personal LinkedIn profiles because the OAuth flow requests organization scopes (
w_organization_social,rw_organization_admin,r_organization_social) that individual developers cannot obtain from LinkedIn.LinkedIn's OAuth rejects the entire request if any scope is unauthorized. Since organization scopes require Advertising API or Community Management API access (which requires legal entity verification), individual developers are completely blocked—even though
w_member_socialalone is sufficient for personal profile posting.Related issue: Fixes #844
Solution
Decouple the OAuth scopes between the two LinkedIn providers:
openid,profile,w_member_socialChanges
linkedin.provider.ts: Reduced scopes to personal-only (openid,profile,w_member_social)linkedin.page.provider.ts: Unchanged (already overrides with full org scopes) + added documentation commentThe fix works because
LinkedinPageProviderextendsLinkedinProviderand explicitly overrides thescopesproperty, so the parent's reduced scopes don't affect organization page functionality.Other information:
This issue has been reported by multiple users in #844 with various workarounds suggested, but no permanent fix was implemented. The change is minimal (net -2 lines of code) and follows the existing inheritance pattern in the codebase.
Verified that
pnpm run buildpasses successfully.Checklist: