Update LinkedIn instructions

Update instructions because they don't work anymore. On August 1, 2023, LinkedIn discontinued OAuth2 as the IdP protocol for new configurations

Author: bernawy

articles/active-directory-b2c/identity-provider-linkedin.md

@@ -31,15 +31,15 @@ zone_pivot_groups: b2c-policy-type
 
 ## Create a LinkedIn application
 
-To enable sign-in for users with a LinkedIn account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [LinkedIn Developers website](https://developer.linkedin.com/). For more information, see [Authorization Code Flow](/linkedin/shared/authentication/authorization-code-flow). If you don't already have a LinkedIn account, you can sign up at [https://www.linkedin.com/](https://www.linkedin.com/).
+To enable sign-in for users with a LinkedIn account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [LinkedIn Developers website](https://developer.linkedin.com/). If you don't already have a LinkedIn account, you can sign up at [https://www.linkedin.com/](https://www.linkedin.com/).
 
 1. Sign in to the [LinkedIn Developers website](https://developer.linkedin.com/) with your LinkedIn account credentials.
 1. Select **My Apps**, and then click **Create app**.
 1. Enter **App name**, **LinkedIn Page**, **Privacy policy URL**, and **App logo**.
 1. Agree to the LinkedIn **API Terms of Use** and click **Create app**.
 1. Select the **Auth** tab. Under **Authentication Keys**, copy the values for **Client ID** and **Client Secret**. You'll need both of them to configure LinkedIn as an identity provider in your tenant. **Client Secret** is an important security credential.
 1. Select the edit pencil next to **Authorized redirect URLs for your app**, and then select **Add redirect URL**. Enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain. You need to use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C. Select **Update**.
-1. By default, your LinkedIn app isn't approved for scopes related to sign in. To request a review, select the **Products** tab, and then select **Sign In with LinkedIn**. When the review is complete, the required scopes will be added to your application.
+1. By default, your LinkedIn app isn't approved for scopes related to sign in. To request a review, select the **Products** tab, and then select **Sign In with LinkedIn using OpenID Connect**. When the review is complete, the required scopes will be added to your application.
    > [!NOTE]
    > You can view the scopes that are currently allowed for your app on the **Auth** tab in the **OAuth 2.0 scopes** section.
 
@@ -49,11 +49,20 @@ To enable sign-in for users with a LinkedIn account in Azure Active Directory B2
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
-1. Select **Identity providers**, then select **LinkedIn**.
-1. Enter a **Name**. For example, *LinkedIn*.
+1. Select **Identity providers**, then select **New OpenID Connect provider**.
+1. Enter a **Name**. For example, *LinkedIn-OIDC*.
+1. For the **Metadata URL**, enter **https://www.linkedin.com/oauth/.well-known/openid-configuration**.
 1. For the **Client ID**, enter the Client ID of the LinkedIn application that you created earlier.
 1. For the **Client secret**, enter the Client Secret that you recorded.
+1. For the **Scope**, enter **openid profile email**.
+1. For the **Response type**, enter **code**.
+1. For the **User ID**, enter **email**.
+1. For the **Display name**, enter **name**.
+1. For the **Given name**, enter **given_name**.
+1. For the **Surname**, enter **family_name**.
+1. For the **Email**, enter **email**.
 1. Select **Save**.
 
 ## Add LinkedIn identity provider to a user flow 
@@ -62,12 +71,12 @@ At this point, the LinkedIn identity provider has been set up, but it's not yet
 
 1. In your Azure AD B2C tenant, select **User flows**.
 1. Click the user flow that you want to add the LinkedIn identity provider.
-1. Under the **Social identity providers**, select **LinkedIn**.
+1. Under the **Custom identity providers**, select **LinkedIn-OIDC**.
 1. Select **Save**.
 1. To test your policy, select **Run user flow**.
 1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
 1. Select the **Run user flow** button.
-1. From the sign-up or sign-in page, select **LinkedIn** to sign in with LinkedIn account.
+1. From the sign-up or sign-in page, select **LinkedIn-OIDC** to sign in with LinkedIn account.
 
 If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
 
@@ -81,6 +90,7 @@ You need to store the client secret that you previously recorded in your Azure A
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
 1. On the Overview page, select **Identity Experience Framework**.
 1. Select **Policy keys** and then select **Add**.
@@ -103,94 +113,45 @@ Define a LinkedIn account as a claims provider by adding it to the **ClaimsProvi
     ```xml
     <ClaimsProvider>
       <Domain>linkedin.com</Domain>
-      <DisplayName>LinkedIn</DisplayName>
+      <DisplayName>LinkedIn-OIDC</DisplayName>
       <TechnicalProfiles>
-        <TechnicalProfile Id="LinkedIn-OAuth2">
+          <TechnicalProfile Id="LinkedIn-OIDC">
           <DisplayName>LinkedIn</DisplayName>
-          <Protocol Name="OAuth2" />
+          <Protocol Name="OpenIdConnect" />
           <Metadata>
-            <Item Key="ProviderName">linkedin</Item>
-            <Item Key="authorization_endpoint">https://www.linkedin.com/oauth/v2/authorization</Item>
-            <Item Key="AccessTokenEndpoint">https://www.linkedin.com/oauth/v2/accessToken</Item>
-            <Item Key="ClaimsEndpoint">https://api.linkedin.com/v2/me</Item>
-            <Item Key="scope">r_emailaddress r_liteprofile</Item>
-            <Item Key="HttpBinding">POST</Item>
-            <Item Key="external_user_identity_claim_id">id</Item>
-            <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
-            <Item Key="ResolveJsonPathsInJsonTokens">true</Item>
-            <Item Key="UsePolicyInRedirectUri">false</Item>
-            <Item Key="client_id">Your LinkedIn application client ID</Item>
+              <Item Key="METADATA">https://www.linkedin.com/oauth/.well-known/openid-configuration</Item>
+              <Item Key="scope">openid profile email</Item>
+              <Item Key="HttpBinding">POST</Item>
+              <Item Key="response_types">code</Item>
+              <Item Key="UsePolicyInRedirectUri">false</Item>
+              <Item Key="client_id">Your LinkedIn application client ID</Item>
           </Metadata>
           <CryptographicKeys>
-            <Key Id="client_secret" StorageReferenceId="B2C_1A_LinkedInSecret" />
+              <Key Id="client_secret" StorageReferenceId="B2C_1A_LinkedInSecret" />
           </CryptographicKeys>
           <InputClaims />
           <OutputClaims>
-            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
-            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstName.localized" />
-            <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lastName.localized" />
-            <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="linkedin.com" AlwaysUseDefaultValue="true" />
-            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
+              <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="email" />
+              <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
+              <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
+              <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="linkedin.com" AlwaysUseDefaultValue="true" />
+              <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
           </OutputClaims>
           <OutputClaimsTransformations>
-            <OutputClaimsTransformation ReferenceId="ExtractGivenNameFromLinkedInResponse" />
-            <OutputClaimsTransformation ReferenceId="ExtractSurNameFromLinkedInResponse" />
-            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
-            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
-            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
-            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
+              <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
+              <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
+              <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
+              <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
           </OutputClaimsTransformations>
           <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
-        </TechnicalProfile>
+          </TechnicalProfile>
       </TechnicalProfiles>
     </ClaimsProvider>
     ```
 
 1. Replace the value of **client_id** with the client ID of the LinkedIn application that you previously recorded.
 1. Save the file.
 
-### Add the claims transformations
-
-The LinkedIn technical profile requires the **ExtractGivenNameFromLinkedInResponse** and **ExtractSurNameFromLinkedInResponse** claims transformations to be added to the list of ClaimsTransformations. If you don't have a **ClaimsTransformations** element defined in your file, add the parent XML elements as shown below. The claims transformations also need a new claim type defined named **nullStringClaim**.
-
-Add the **BuildingBlocks** element near the top of the *TrustFrameworkExtensions.xml* file. See *TrustFrameworkBase.xml* for an example.
-
-```xml
-<BuildingBlocks>
-  <ClaimsSchema>
-    <!-- Claim type needed for LinkedIn claims transformations -->
-    <ClaimType Id="nullStringClaim">
-      <DisplayName>nullClaim</DisplayName>
-      <DataType>string</DataType>
-      <AdminHelpText>A policy claim to store output values from ClaimsTransformations that aren't useful. This claim should not be used in TechnicalProfiles.</AdminHelpText>
-      <UserHelpText>A policy claim to store output values from ClaimsTransformations that aren't useful. This claim should not be used in TechnicalProfiles.</UserHelpText>
-    </ClaimType>
-  </ClaimsSchema>
-
-  <ClaimsTransformations>
-    <!-- Claim transformations needed for LinkedIn technical profile -->
-    <ClaimsTransformation Id="ExtractGivenNameFromLinkedInResponse" TransformationMethod="GetSingleItemFromJson">
-      <InputClaims>
-        <InputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="inputJson" />
-      </InputClaims>
-      <OutputClaims>
-        <OutputClaim ClaimTypeReferenceId="nullStringClaim" TransformationClaimType="key" />
-        <OutputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="value" />
-      </OutputClaims>
-    </ClaimsTransformation>
-    <ClaimsTransformation Id="ExtractSurNameFromLinkedInResponse" TransformationMethod="GetSingleItemFromJson">
-      <InputClaims>
-        <InputClaim ClaimTypeReferenceId="surname" TransformationClaimType="inputJson" />
-      </InputClaims>
-      <OutputClaims>
-        <OutputClaim ClaimTypeReferenceId="nullStringClaim" TransformationClaimType="key" />
-        <OutputClaim ClaimTypeReferenceId="surname" TransformationClaimType="value" />
-      </OutputClaims>
-    </ClaimsTransformation>
-  </ClaimsTransformations>
-</BuildingBlocks>
-```
-
 [!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)]
 
 
@@ -206,7 +167,7 @@ Add the **BuildingBlocks** element near the top of the *TrustFrameworkExtensions
 <OrchestrationStep Order="2" Type="ClaimsExchange">
   ...
   <ClaimsExchanges>
-    <ClaimsExchange Id="LinkedInExchange" TechnicalProfileReferenceId="LinkedIn-OAuth2" />
+    <ClaimsExchange Id="LinkedInExchange" TechnicalProfileReferenceId="LinkedIn-OIDC" />
   </ClaimsExchanges>
 </OrchestrationStep>
 ```
@@ -218,7 +179,7 @@ Add the **BuildingBlocks** element near the top of the *TrustFrameworkExtensions
 1. Select your relying party policy, for example `B2C_1A_signup_signin`.
 1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
 1. Select the **Run now** button.
-1. From the sign-up or sign-in page, select **LinkedIn** to sign in with LinkedIn account.
+1. From the sign-up or sign-in page, select **LinkedIn-OIDC** to sign in with LinkedIn account.
 
 If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.