KEYCLOAK-28 - Login with LinkedIn

README.md

@@ -9,7 +9,7 @@ It can be used for social applications as well as enterprise applications.  It i
 Here's some of the features:
 
 * SSO and Single Log Out for browser applications
-* Social Broker.  Enable Google, Facebook, Yahoo, Twitter social login with no code required.
+* Social Broker.  Enable Google, Facebook, Yahoo, Twitter, GitHub, LinkedIn social login with no code required.
 * Optional LDAP/Active Directory integration
 * Optional User Registration
 * Password and TOTP support (via Google Authenticator or FreeOTP).  Client cert auth coming soon.

dependencies/server-all/pom.xml

@@ -122,6 +122,11 @@
             <artifactId>keycloak-social-facebook</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-social-linkedin</artifactId>
+            <version>${project.version}</version>
+        </dependency>
 
         <!-- ldap federation api -->
         <dependency>

distribution/modules/build.xml

@@ -236,6 +236,10 @@
             <maven-resource group="org.keycloak" artifact="keycloak-social-facebook"/>
         </module-def>
     	
+    	  <module-def name="org.keycloak.keycloak-social-linkedin">
+    	      <maven-resource group="org.keycloak" artifact="keycloak-social-linkedin"/>
+    	  </module-def>
+
         <module-def name="org.keycloak.keycloak-kerberos-federation">
             <maven-resource group="org.keycloak" artifact="keycloak-kerberos-federation"/>
         </module-def>

distribution/modules/src/main/resources/modules/org/keycloak/keycloak-server/main/module.xml

@@ -57,6 +57,7 @@
         <module name="org.keycloak.keycloak-social-github" services="import"/>
         <module name="org.keycloak.keycloak-social-google" services="import"/>
         <module name="org.keycloak.keycloak-social-twitter" services="import"/>
+        <module name="org.keycloak.keycloak-social-linkedin" services="import"/>
         <module name="org.keycloak.keycloak-subsystem" services="import"/>
         <module name="org.keycloak.keycloak-timer-api" services="import"/>
         <module name="org.keycloak.keycloak-timer-basic" services="import"/>

distribution/modules/src/main/resources/modules/org/keycloak/keycloak-services/main/module.xml

@@ -60,6 +60,7 @@
         <module name="org.keycloak.keycloak-social-github" services="import"/>
         <module name="org.keycloak.keycloak-social-google" services="import"/>
         <module name="org.keycloak.keycloak-social-twitter" services="import"/>
+        <module name="org.keycloak.keycloak-social-linkedin" services="import"/>
         <module name="org.keycloak.keycloak-timer-api" services="import"/>
         <module name="org.keycloak.keycloak-timer-basic" services="import"/>
 

distribution/modules/src/main/resources/modules/org/keycloak/keycloak-social-linkedin/main/module.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+
+
+<module xmlns="urn:jboss:module:1.1" name="org.keycloak.keycloak-social-linkedin">
+    <resources>
+        <!-- Insert resources here -->
+    </resources>
+    <dependencies>
+        <module name="org.keycloak.keycloak-core"/>
+        <module name="org.keycloak.keycloak-social-core"/>
+        <module name="org.keycloak.keycloak-broker-core"/>
+        <module name="org.keycloak.keycloak-broker-oidc"/>
+        <module name="org.keycloak.keycloak-model-api"/>
+        <module name="org.jboss.logging"/>
+        <module name="javax.api"/>
+        <module name="org.codehaus.jackson.jackson-core-asl"/>
+        <module name="org.codehaus.jackson.jackson-mapper-asl"/>
+        <module name="org.codehaus.jackson.jackson-xc"/>
+    </dependencies>
+
+</module>

distribution/subsystem-war/src/main/webapp/WEB-INF/jboss-deployment-structure.xml

@@ -50,6 +50,7 @@
             <module name="org.keycloak.keycloak-social-github" services="import"/>
             <module name="org.keycloak.keycloak-social-google" services="import"/>
             <module name="org.keycloak.keycloak-social-twitter" services="import"/>
+            <module name="org.keycloak.keycloak-social-linkedin" services="import"/>
             <module name="org.keycloak.keycloak-timer-api" services="import"/>
             <module name="org.keycloak.keycloak-timer-basic" services="import"/>
             <module name="org.hibernate" services="import"/>

examples/cors/angular-product-app/.gitignore

@@ -0,0 +1 @@
+/.externalToolBuilders/*

forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-identity-provider-linkedin.html

@@ -0,0 +1 @@
+<div data-ng-include data-src="resourceUrl + '/partials/realm-identity-provider-social.html'"></div>

social/linkedin/.gitignore

@@ -0,0 +1 @@
+/target/

social/linkedin/pom.xml

@@ -0,0 +1,40 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>keycloak-social-parent</artifactId>
+        <groupId>org.keycloak</groupId>
+        <version>1.2.0.Beta1-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+    <packaging>jar</packaging>
+
+    <artifactId>keycloak-social-linkedin</artifactId>
+    <name>Keycloak Social LinkedIn</name>
+    <description/>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-social-core</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-broker-oidc</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.jackson</groupId>
+            <artifactId>jackson-mapper-asl</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.logging</groupId>
+            <artifactId>jboss-logging</artifactId>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+</project>

social/linkedin/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProvider.java

@@ -0,0 +1,109 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2015 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.social.linkedin;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLDecoder;
+
+import org.codehaus.jackson.JsonNode;
+import org.jboss.logging.Logger;
+import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
+import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
+import org.keycloak.broker.oidc.util.SimpleHttp;
+import org.keycloak.broker.provider.FederatedIdentity;
+import org.keycloak.broker.provider.IdentityBrokerException;
+import org.keycloak.social.SocialIdentityProvider;
+
+/**
+ * LinkedIn social provider. See https://developer.linkedin.com/docs/oauth2
+ * 
+ * @author Vlastimil Elias (velias at redhat dot com)
+ */
+public class LinkedInIdentityProvider extends AbstractOAuth2IdentityProvider implements SocialIdentityProvider {
+
+	private static final Logger log = Logger.getLogger(LinkedInIdentityProvider.class);
+
+	public static final String AUTH_URL = "https://www.linkedin.com/uas/oauth2/authorization";
+	public static final String TOKEN_URL = "https://www.linkedin.com/uas/oauth2/accessToken";
+	public static final String PROFILE_URL = "https://api.linkedin.com/v1/people/~:(id,formatted-name,email-address,public-profile-url)?format=json";
+	public static final String DEFAULT_SCOPE = "r_basicprofile r_emailaddress";
+
+	public LinkedInIdentityProvider(OAuth2IdentityProviderConfig config) {
+		super(config);
+		config.setAuthorizationUrl(AUTH_URL);
+		config.setTokenUrl(TOKEN_URL);
+		config.setUserInfoUrl(PROFILE_URL);
+	}
+
+	@Override
+	protected FederatedIdentity doGetFederatedIdentity(String accessToken) {
+		log.debug("doGetFederatedIdentity()");
+		try {
+			JsonNode profile = SimpleHttp.doGet(PROFILE_URL).header("Authorization", "Bearer " + accessToken).asJson();
+
+			FederatedIdentity user = new FederatedIdentity(getJsonProperty(profile, "id"));
+
+			user.setUsername(extractUsernameFromProfileURL(getJsonProperty(profile, "publicProfileUrl")));
+			user.setName(getJsonProperty(profile, "formattedName"));
+			user.setEmail(getJsonProperty(profile, "emailAddress"));
+
+			return user;
+		} catch (Exception e) {
+			throw new IdentityBrokerException("Could not obtain user profile from github.", e);
+		}
+	}
+
+	protected static String extractUsernameFromProfileURL(String profileURL) {
+		if (isNotBlank(profileURL)) {
+
+			try {
+				log.debug("go to extract username from profile URL " + profileURL);
+				URL u = new URL(profileURL);
+				String path = u.getPath();
+				if (isNotBlank(path) && path.length() > 1) {
+					if (path.startsWith("/")) {
+						path = path.substring(1);
+					}
+					String[] pe = path.split("/");
+					if (pe.length >= 2) {
+						return URLDecoder.decode(pe[1], "UTF-8");
+					} else {
+						log.warn("LinkedIn profile URL path is without second part: " + profileURL);
+					}
+				} else {
+					log.warn("LinkedIn profile URL is without path part: " + profileURL);
+				}
+			} catch (MalformedURLException e) {
+				log.warn("LinkedIn profile URL is malformed: " + profileURL);
+			} catch (Exception e) {
+				log.warn("LinkedIn profile URL " + profileURL + " username extraction failed due: " + e.getMessage());
+			}
+		}
+		return null;
+	}
+
+	private static boolean isNotBlank(String s) {
+		return s != null && s.trim().length() > 0;
+	}
+
+	@Override
+	protected String getDefaultScopes() {
+		return DEFAULT_SCOPE;
+	}
+}

social/linkedin/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java

@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2015 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.social.linkedin;
+
+import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
+import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
+import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.social.SocialIdentityProviderFactory;
+
+/**
+ * @author Vlastimil Elias (velias at redhat dot com)
+ */
+public class LinkedInIdentityProviderFactory extends AbstractIdentityProviderFactory<LinkedInIdentityProvider>
+		implements SocialIdentityProviderFactory<LinkedInIdentityProvider> {
+
+	public static final String PROVIDER_ID = "linkedin";
+
+	@Override
+	public String getName() {
+		return "LinkedIn";
+	}
+
+	@Override
+	public LinkedInIdentityProvider create(IdentityProviderModel model) {
+		return new LinkedInIdentityProvider(new OAuth2IdentityProviderConfig(model));
+	}
+
+	@Override
+	public String getId() {
+		return PROVIDER_ID;
+	}
+}

social/linkedin/src/main/resources/META-INF/services/org.keycloak.social.SocialIdentityProviderFactory

@@ -0,0 +1 @@
+org.keycloak.social.linkedin.LinkedInIdentityProviderFactory

social/pom.xml

@@ -20,6 +20,7 @@
         <module>google</module>
         <module>twitter</module>
         <module>facebook</module>
+        <module>linkedin</module>
     </modules>
 
 </project>

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderModelTest.java

@@ -24,6 +24,7 @@ import org.keycloak.social.facebook.FacebookIdentityProviderFactory;
 import org.keycloak.social.github.GitHubIdentityProviderFactory;
 import org.keycloak.social.google.GoogleIdentityProviderFactory;
 import org.keycloak.social.twitter.TwitterIdentityProviderFactory;
+import org.keycloak.social.linkedin.LinkedInIdentityProviderFactory;
 import org.keycloak.testsuite.model.AbstractModelTest;
 
 import java.util.Collections;
@@ -47,6 +48,7 @@ public abstract class AbstractIdentityProviderModelTest extends AbstractModelTes
         this.expectedProviders.add(FacebookIdentityProviderFactory.PROVIDER_ID);
         this.expectedProviders.add(GitHubIdentityProviderFactory.PROVIDER_ID);
         this.expectedProviders.add(TwitterIdentityProviderFactory.PROVIDER_ID);
+        this.expectedProviders.add(LinkedInIdentityProviderFactory.PROVIDER_ID);
 
         this.expectedProviders = Collections.unmodifiableSet(this.expectedProviders);
     }

testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java

@@ -38,6 +38,8 @@ import org.keycloak.social.google.GoogleIdentityProvider;
 import org.keycloak.social.google.GoogleIdentityProviderFactory;
 import org.keycloak.social.twitter.TwitterIdentityProvider;
 import org.keycloak.social.twitter.TwitterIdentityProviderFactory;
+import org.keycloak.social.linkedin.LinkedInIdentityProvider;
+import org.keycloak.social.linkedin.LinkedInIdentityProviderFactory;
 
 import java.io.IOException;
 import java.util.HashSet;
@@ -160,6 +162,8 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
                     assertGitHubIdentityProviderConfig(identityProvider);
                 } else if (TwitterIdentityProviderFactory.PROVIDER_ID.equals(providerId)) {
                     assertTwitterIdentityProviderConfig(identityProvider);
+                } else if (LinkedInIdentityProviderFactory.PROVIDER_ID.equals(providerId)) {
+                    assertLinkedInIdentityProviderConfig(identityProvider);
                 } else {
                     continue;
                 }
@@ -257,6 +261,23 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
         assertEquals(GitHubIdentityProvider.PROFILE_URL, config.getUserInfoUrl());
     }
 
+    private void assertLinkedInIdentityProviderConfig(IdentityProviderModel identityProvider) {
+      LinkedInIdentityProvider gitHubIdentityProvider = new LinkedInIdentityProviderFactory().create(identityProvider);
+      OAuth2IdentityProviderConfig config = gitHubIdentityProvider.getConfig();
+
+        assertEquals("model-linkedin", config.getAlias());
+      assertEquals(LinkedInIdentityProviderFactory.PROVIDER_ID, config.getProviderId());
+      assertEquals(true, config.isEnabled());
+      assertEquals(true, config.isUpdateProfileFirstLogin());
+      assertEquals(false, config.isAuthenticateByDefault());
+      assertEquals(false, config.isStoreToken());
+      assertEquals("clientId", config.getClientId());
+      assertEquals("clientSecret", config.getClientSecret());
+      assertEquals(LinkedInIdentityProvider.AUTH_URL, config.getAuthorizationUrl());
+      assertEquals(LinkedInIdentityProvider.TOKEN_URL, config.getTokenUrl());
+      assertEquals(LinkedInIdentityProvider.PROFILE_URL, config.getUserInfoUrl());
+    }
+
     private void assertTwitterIdentityProviderConfig(IdentityProviderModel identityProvider) {
         TwitterIdentityProvider twitterIdentityProvider = new TwitterIdentityProviderFactory().create(identityProvider);
         OAuth2IdentityProviderConfig config = twitterIdentityProvider.getConfig();

testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json

@@ -61,6 +61,20 @@
                 "clientSecret": "clientSecret"
             }
         },
+        {
+            "alias" : "model-linkedin",
+            "providerId" : "linkedin",
+            "enabled": true,
+            "updateProfileFirstLogin" : "true",
+            "storeToken": false,
+            "config": {
+                "authorizationUrl": "authorizationUrl",
+                "tokenUrl": "tokenUrl",
+                "userInfoUrl": "userInfoUrl",
+                "clientId": "clientId",
+                "clientSecret": "clientSecret"
+            }
+        },
         {
           "alias" : "model-saml-signed-idp",
           "providerId" : "saml",