How to build Login with LinkedIn using Node and WorkOS

When you build an app one thing you want to get right is making it as easy as possible for users to log in. At the same time, you must ensure that the process is safe and compliant with your organization’s security standards. LinkedIn, as a widely used platform for professionals, offers a great solution for this. By integrating LinkedIn login, you allow your users—whether they’re employees, clients, or partners—to authenticate quickly with their existing LinkedIn profiles.

In this tutorial, we will go through all the steps required to add the Login with LinkedIn functionality to your app using Node as the language and WorkOS with AuthKit.

While going through this tutorial, remember that some things might get outdated as products evolve. Dashboards change, and new SDK versions are released every week. If while you follow this tutorial, something is not working for you, please refer to these docs for the most up-to-date guidance:

• WorkOS Node.js SDK
• LinkedIn OAuth integration guide
• User management quick start

Prerequisites

To follow this tutorial, you will need the following:

• A LinkedIn account.
• A WorkOS account.
• A Node.js app (Node 16 or higher).

Step 1: Install the SDK

Install the WorkOS Node SDK to your app.

• Using npm: npm install @workos-inc/node
• Using yarn: yarn add @workos-inc/node
• Using pnpm: pnpm add @workos-inc/node

Step 2: Set secrets

To make calls to WorkOS, you must authenticate using the WorkOS API key and client ID. Copy these values from the WorkOS dashboard.

Store the values as managed secrets and pass them to the SDK as environment variables:

Environment variables example:

	
WORKOS_API_KEY='sk_example_123456789'
WORKOS_CLIENT_ID='client_123456789'
	

!!For more information on safely handling secrets, see Best practices for secrets management.!!

Step 3: Configure the LinkedIn connection

Get the Redirect URI

WorkOS provides the Redirect URI, a whitelisted callback URL. This URL will tell LinkedIn where to redirect a user after they successfully authenticate with the LinkedIn service. You need to get this URL from the WorkOS dashboard and provide it to LinkedIn.

1. Go to the WorkOS dashboard and select Authentication on the navigation bar on the left-hand side.
2. Scroll down to the LinkedIn OAuth section and click Enable.
3. In the modal, you’ll see the Redirect URI as well as the fields you’ll populate later with information from LinkedIn. Copy this URI. We will use it as part of the registration process in the LinkedIn Developer Portal.

Configure the LinkedIn OAuth app

To configure the connection on LinkedIn’s side, follow these steps:

1. Log in to your LinkedIn account, go to the Developer Portal page and click on Create app.
2. Fill out the form with the required details about your application, like the application name, LinkedIn page, and app logo. When you are done, click on Create app.
3. On the next page, click the Auth tab. Copy the Client ID and Primary Client Secret. We will use them in the next step.
4. Click the pencil button at OAuth 2.0 settings > Authorized redirect URLs for your app. Click Add redirect URL and paste the WorkOS Redirect URI. Click Update.
5. Click the Products tab and add the Sign In with LinkedIn using OpenID Connect product.

For more detailed steps and screenshots, follow the LinkedIn OAuth integration guide.

Provide client credentials to WorkOS

1. Go back to the Authentication section in the WorkOS dashboard and click on Enable under LinkedIn OAuth.
2. Toggle Enabled on and provide the client credentials from LinkedIn that you generated in the previous step.
3. Finally, click Save.

Step 4: Configure a redirect URI

In this step, we will configure your application’s redirect URI (which is different from the one we used before).

A redirect URI is an endpoint of your app where the users will be redirected after they sign in. We’ll create this endpoint in a bit. For now,, we need to add the URI to the Redirects section of the WorkOS dashboard.

While wildcards in your URIs can be used in the staging environment, they and query parameters cannot be used in production. When users sign out of their application, they will be redirected to your app’s homepage, which is configured in the same dashboard area.

If you already have an app set up with AuthKit you don’t need to do anything more. Next time your users log in they will see the option to use LinkedIn for authentication. If you don’t have an app follow the next steps to create one.

Step 5: Set up the frontend

We are ready to start adding code. In this tutorial, we will use React to create a simple page with a login link. For brevity we will not talk about logout but if you want to know how to do that see the docs.

‍Create a new React app if you don’t have one already, and add the following code to your App.js:

	
export default function App() {
  return (
    <div className="App">
      <h1>AuthKit example</h1>
      <p>This is an example of how to use AuthKit with a React frontend.</p>
      <p>
        <a href="/login">Sign in</a>
      </p>
    </div>
  );
}
	

Step 6: Set up the backend

First, we’ll need to direct users to sign in (or sign up) using AuthKit before redirecting them back to your application. We’ll do this by generating an AuthKit authorization URL server side and redirecting the user to it.

For this guide we’ll be using the express web server for Node.

Add the following code to server.js:

	
const express = require('express');
const { WorkOS } = require('@workos-inc/node');

const app = express();
const workos = new WorkOS(process.env.WORKOS_API_KEY, {
  clientId: process.env.WORKOS_CLIENT_ID,
});

app.get('/login', (req, res) => {
  const authorizationUrl = workos.userManagement.getAuthorizationUrl({
    // Specify that we'd like AuthKit to handle the authentication flow
    provider: 'authkit',

    // The callback endpoint that WorkOS will redirect to after a user authenticates
    redirectUri: 'http://your-app.com/callback',
    clientId: process.env.WORKOS_CLIENT_ID,
  });

  // Redirect the user to the AuthKit sign-in page
  res.redirect(authorizationUrl);
});
	

After the user authenticates, WorkOS generates a string (the authorization code), adds it to the Redirect URI, and redirects the user there. The URL looks like this:

	
https://your-app.com/callback?code=g0FGFmNjVmOWIkTGf2PLk4FTYyFGU5
	

The app needs to extract that code and make another call to exchange it for a token and user profile information.

To extract the code from the URL and do the exchange, add the following code to server.js:

	
const express = require('express');
const { WorkOS } = require('@workos-inc/node');

const app = express();

const workos = new WorkOS(process.env.WORKOS_API_KEY, {
  clientId: process.env.WORKOS_CLIENT_ID,
});

app.get('/callback', async (req, res) => {
  // The authorization code returned by AuthKit
  const code = req.query.code;

  if (!code) {
    return res.status(400).send('No code provided');
  }

  const { user } = await workos.userManagement.authenticateWithCode({
    code,
    clientId: process.env.WORKOS_CLIENT_ID,
  });

  // Use the information in `user` for further business logic.

  // Redirect the user to the homepage
  return res.redirect('/');
});
	

The user has now successfully logged in with LinkedIn. This is what the response looks like:

	
{
  "user": {
    "object": "user",
    "id": "user_01E4ZCR3C56J083X43JQXF3JK5",
    "email": "marcelina.davis@example.com",
    "first_name": "Marcelina",
    "last_name": "Davis",
    "email_verified": true,
    "profile_picture_url": "https://workoscdn.com/images/v1/123abc",
    "created_at": "2021-06-25T19:07:33.155Z",
    "updated_at": "2021-06-25T19:07:33.155Z"
  },
  "organization_id": "org_01H945H0YD4F97JN9MATX7BYAG",
  "access_token": "eyJhb.nNzb19vaWRjX2tleV9.lc5Uk4yWVk5In0",
  "refresh_token": "yAjhKk123NLIjdrBdGZPf8pLIDvK"
}
	

The user object can be used for further business logic like personalizing the UI for the user.

The response also includes an access token and a refresh token. These two tokens can be used to manage the user’s session without asking them to authenticate constantly. The access token is short-lived and allows an application to access resources on a user’s behalf, while the refresh token, which lives a bit longer, can be used to get a new access token when that expires.

Both tokens should be handled and stored securely since if an attacker obtains a user's token, they can impersonate the user and gain unauthorized access to protected resources. WorkOS SDKs use sealed sessions (i.e., sessions encrypted with a strong password) to keep tokens safe. For more information, see Handle the user session.

Next steps

You have now successfully added Log in with LinkedIn functionality to your app. This is just the first step in your identity management journey. The next steps are handling the user’s session, implementing logout, adding SAML SSO, implementing access control, provisioning users automatically, handling failed authentication events, and more. Check our blog for tutorials on all of these areas.

Here are some more resources you might find useful:

• User management quickstart: A complete authentication platform that uses AuthKit and includes SSO out of the box.
• AuthKit branding docs: How to customize the look and feel of AuthKit to match your app’s design.
• SSO quickstart: A standalone API for integrating into an existing auth stack.
• LinkedIn integration guide: Detailed instructions on how to configure a LinkedIn connection via OAuth.
• AuthKit sample application: An example application demonstrating how to use hosted AuthKit to authenticate users.
• Admin Portal docs: An out-of-the-box UI for IT admins to configure SSO connections.‍
• Migration guides: Detailed instructions on how to migrate your users from another service to WorkOS.