fix: add configurable RedirectUri and remove unnecessary w_member_social scope

- Add RedirectUri field to LinkedInConfiguration for explicit OAuth redirect URL
- Update OAuth endpoints to use configured RedirectUri when set, with auto-detect fallback
- Show configured vs detected redirect_uri in debug-auth endpoint
- Remove w_member_social scope (only read access needed, write may need extra approval)
- Add RedirectUri to admin UI with helper text

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: csharpfritz

src/TagzApp.Blazor.Client/Components/Admin/LinkedIn.Config.Ui.razor

@@ -19,6 +19,11 @@
 			<dd>
 				<input name="ClientSecret" type="password" @bind="Model.ClientSecret" placeholder="LinkedIn App Client Secret" />
 			</dd>
+			<dt><label for="RedirectUri">OAuth Redirect URI (optional):</label></dt>
+			<dd>
+				<InputText name="RedirectUri" @bind-Value="Model.RedirectUri" placeholder="e.g. https://localhost:7106/api/linkedin/callback" />
+				<small class="text-muted">Leave blank to auto-detect. Set explicitly if OAuth fails.</small>
+			</dd>
 			<dt>Access Token:</dt>
 			<dd>
 				<span class="form-control-plaintext text-muted">@ObfuscateToken(Model.AccessToken)</span>
@@ -73,6 +78,7 @@
 			{
 				ClientId = providerConfiguration.GetConfigurationByKey("ClientId"),
 				ClientSecret = providerConfiguration.GetConfigurationByKey("ClientSecret"),
+				RedirectUri = providerConfiguration.GetConfigurationByKey("RedirectUri"),
 				AccessToken = providerConfiguration.GetConfigurationByKey("AccessToken"),
 				RefreshToken = providerConfiguration.GetConfigurationByKey("RefreshToken"),
 				TokenExpiresAt = providerConfiguration.GetConfigurationByKey("TokenExpiresAt"),
@@ -121,6 +127,7 @@
 
 		providerConfiguration.SetConfigurationByKey("ClientId", Model.ClientId);
 		providerConfiguration.SetConfigurationByKey("ClientSecret", Model.ClientSecret);
+		providerConfiguration.SetConfigurationByKey("RedirectUri", Model.RedirectUri);
 		providerConfiguration.SetConfigurationByKey("PollingIntervalMinutes", Model.PollingIntervalMinutes.ToString());
 		providerConfiguration.SetConfigurationByKey("DailyCallBudget", Model.DailyCallBudget.ToString());
 		providerConfiguration.SetConfigurationByKey("Enabled", Model.Enabled.ToString());
@@ -143,6 +150,8 @@
 
 		public string ClientSecret { get; set; } = string.Empty;
 
+		public string RedirectUri { get; set; } = string.Empty;
+
 		public string AccessToken { get; set; } = string.Empty;
 
 		public string RefreshToken { get; set; } = string.Empty;

src/TagzApp.Blazor/Service_LinkedInOAuth.cs

@@ -14,7 +14,7 @@ public static class Service_LinkedInOAuth
 	private const string LinkedInTokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
 
 	// Required scopes: r_member_social reads posts (needs Community Management API product)
-	private static readonly string[] RequiredScopes = ["r_member_social", "w_member_social"];
+	private static readonly string[] RequiredScopes = ["r_member_social"];
 
 	public static void MapLinkedInOAuthEndpoints(this WebApplication app)
 	{
@@ -39,13 +39,18 @@ public static void MapLinkedInOAuthEndpoints(this WebApplication app)
 				? request.Headers["X-Forwarded-Host"].ToString()
 				: request.Host.ToString();
 
-			var redirectUri = $"{scheme}://{host}/api/linkedin/callback";
+			var detectedRedirectUri = $"{scheme}://{host}/api/linkedin/callback";
+			var configuredRedirectUri = linkedInConfig.RedirectUri;
+			var usingConfigured = !string.IsNullOrEmpty(configuredRedirectUri);
+			var redirectUri = usingConfigured ? configuredRedirectUri : detectedRedirectUri;
 			var scope = string.Join(" ", RequiredScopes);
 
 			return Results.Json(new
 			{
 				clientId = linkedInConfig.ClientId,
 				redirectUri,
+				configuredRedirectUri,
+				usingConfigured,
 				scope,
 				detectedScheme = scheme,
 				detectedHost = host,
@@ -98,10 +103,12 @@ public static void MapLinkedInOAuthEndpoints(this WebApplication app)
 				? request.Headers["X-Forwarded-Host"].ToString()
 				: request.Host.ToString();
 
-			var redirectUri = $"{scheme}://{host}/api/linkedin/callback";
+			var redirectUri = !string.IsNullOrEmpty(linkedInConfig.RedirectUri)
+				? linkedInConfig.RedirectUri
+				: $"{scheme}://{host}/api/linkedin/callback";
 
-			logger.LogInformation("LinkedIn OAuth authorize: Scheme={Scheme}, Host={Host}, RedirectUri={RedirectUri}, ClientId={ClientIdPrefix}...",
-				scheme, host, redirectUri, linkedInConfig.ClientId[..Math.Min(4, linkedInConfig.ClientId.Length)]);
+			logger.LogInformation("LinkedIn OAuth authorize: Scheme={Scheme}, Host={Host}, RedirectUri={RedirectUri}, UsingConfigured={UsingConfigured}, ClientId={ClientIdPrefix}...",
+				scheme, host, redirectUri, !string.IsNullOrEmpty(linkedInConfig.RedirectUri), linkedInConfig.ClientId[..Math.Min(4, linkedInConfig.ClientId.Length)]);
 
 			// Generate state parameter for CSRF protection
 			var state = Guid.NewGuid().ToString("N");
@@ -192,7 +199,9 @@ public static void MapLinkedInOAuthEndpoints(this WebApplication app)
 				? request.Headers["X-Forwarded-Host"].ToString()
 				: request.Host.ToString();
 
-			var redirectUri = $"{scheme}://{host}/api/linkedin/callback";
+			var redirectUri = !string.IsNullOrEmpty(linkedInConfig.RedirectUri)
+				? linkedInConfig.RedirectUri
+				: $"{scheme}://{host}/api/linkedin/callback";
 
 			try
 			{

src/TagzApp.Providers.LinkedIn/LinkedInConfiguration.cs

@@ -16,21 +16,23 @@ public class LinkedInConfiguration : IProviderConfiguration
 
 	public string ClientId { get; set; } = string.Empty;
 	public string ClientSecret { get; set; } = string.Empty;
+	public string RedirectUri { get; set; } = string.Empty;
 	public string AccessToken { get; set; } = string.Empty;
 	public string RefreshToken { get; set; } = string.Empty;
 	public string TokenExpiresAt { get; set; } = string.Empty;
 	public int PollingIntervalMinutes { get; set; } = 5;
 	public int DailyCallBudget { get; set; } = 100;
 
 	[JsonIgnore]
-	public string[] Keys => ["ClientId", "ClientSecret", "AccessToken", "RefreshToken", "TokenExpiresAt", "PollingIntervalMinutes", "DailyCallBudget"];
+	public string[] Keys => ["ClientId", "ClientSecret", "RedirectUri", "AccessToken", "RefreshToken", "TokenExpiresAt", "PollingIntervalMinutes", "DailyCallBudget"];
 
 	public string GetConfigurationByKey(string key)
 	{
 		return key switch
 		{
 			"ClientId" => ClientId,
 			"ClientSecret" => ClientSecret,
+			"RedirectUri" => RedirectUri,
 			"AccessToken" => AccessToken,
 			"RefreshToken" => RefreshToken,
 			"TokenExpiresAt" => TokenExpiresAt,
@@ -51,6 +53,9 @@ public void SetConfigurationByKey(string key, string value)
 			case "ClientSecret":
 				ClientSecret = value;
 				break;
+			case "RedirectUri":
+				RedirectUri = value;
+				break;
 			case "AccessToken":
 				AccessToken = value;
 				break;