chore: LinkedIn custom OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-36

Summary by CodeRabbit

• New Features

  • LinkedIn OAuth added as a login option with dynamic enable/credential updates at runtime.
  • OAuth providers now support per-provider PKCE configuration; PKCE is driven by provider settings (defaults to enabled).

• Bug Fixes

  • LinkedIn email handling now uses standard email normalization for more reliable account matching.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1909436

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f293c42f-3979-4b3f-8b37-10e480bd0734

📥 Commits

Reviewing files that changed from the base of the PR and between 011b07c and 1909436.

📒 Files selected for processing (1)

• apps/meteor/app/linkedin/server/lib.ts

---

Walkthrough

Adds optional pkce to OAuthConfiguration, makes CustomOAuthStrategy honor config.pkce (default true), registers a LinkedIn OAuth provider with pkce: false and settings-driven reconfiguration, imports the LinkedIn server module at startup, and removes LinkedIn-specific email normalization.

Changes

LinkedIn OAuth with Configurable PKCE

Layer / File(s)	Summary
OAuth configuration type with PKCE field packages/core-typings/src/ILoginServiceConfiguration.ts	OAuthConfiguration interface extended with optional pkce?: boolean field.
CustomOAuth strategy respects configurable PKCE apps/meteor/app/custom-oauth/server/customOAuth.ts	CustomOAuthStrategy now reads pkce from provider config with true as the default instead of hardcoding true.
LinkedIn OAuth provider implementation apps/meteor/app/linkedin/server/lib.ts	Adds LinkedIn provider config (auth/token/userinfo endpoints, openid email profile scope, tokenSentVia: 'header', emailField: 'email', avatarField: 'picture', pkce: false); implements configureLinkedInOAuth to (un)register provider based on settings/credentials; installs settings.watchMultiple to re-run configuration on changes.
Server integration and legacy email cleanup apps/meteor/app/linkedin/server/index.ts, apps/meteor/server/importPackages.ts, apps/meteor/server/configuration/accounts_meld.js	Import LinkedIn server module at startup so provider is configured on load; remove special-case LinkedIn serviceData.emailAddress → serviceData.email normalization so generic email handling applies.

Sequence Diagram

sequenceDiagram
  participant Startup as Meteor Startup
  participant ImportPackages as importPackages.ts
  participant LinkedInIndex as app/linkedin/server/index.ts
  participant LinkedInLib as app/linkedin/server/lib.ts
  participant SettingsWatcher as settings.watchMultiple
  participant OAuthRegistrar as addPassportCustomOAuth
  Startup->>ImportPackages: side-effect import `../app/linkedin/server`
  ImportPackages->>LinkedInIndex: load linkedin server index
  LinkedInIndex->>LinkedInLib: execute configureLinkedInOAuth
  LinkedInLib->>OAuthRegistrar: register LinkedIn provider (pkce: false)
  LinkedInLib->>SettingsWatcher: register watchMultiple for enable/credentials
  SettingsWatcher->>LinkedInLib: trigger on setting change
  LinkedInLib->>OAuthRegistrar: re-register LinkedIn provider

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40203: Both PRs touch apps/meteor/app/custom-oauth/server/customOAuth.ts and PKCE behavior in the custom OAuth strategy.

Suggested reviewers

• KevLehman
• tassoevan

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding LinkedIn custom OAuth support to the application.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• PRM-36: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 6 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.76%. Comparing base (aa3602b) to head (011b07c).

Additional details and impacted files

@@                       Coverage Diff                       @@
##           feat/phishing-resistant-mfa   #40594      +/-   ##
===============================================================
+ Coverage                        69.71%   69.76%   +0.04%     
===============================================================
  Files                             3304     3297       -7     
  Lines                           121731   120967     -764     
  Branches                         21561    21549      -12     
===============================================================
- Hits                             84866    84391     -475     
+ Misses                           33602    33310     -292     
- Partials                          3263     3266       +3     

Flag	Coverage Δ
unit	70.44% <ø> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ricardogarim]

note to update the Accounts_OAuth_Linkedin_callback_url default to the new Passport callback URL: oauth/linkedin/callback.

also, nit: the previous implementation used to fetch the user profile. do you think it’s worth keeping that in the new implementation too? it would be something like adding avatarField: 'picture' to the config.