feat(provider): add LINE Login provider#2578
Open
sukekyo000 wants to merge 1 commit into
Open
Conversation
Add LINE Login as an external OAuth provider. The user's profile (name, picture) and email are returned as claims in the OIDC ID token, so the provider reads them directly from the ID token instead of calling a separate userinfo endpoint. Although LINE exposes an OIDC discovery document, it does not sign the ID token with the ES256/JWKS keys it advertises; it signs with HS256 using the channel secret. The ID token is therefore verified with the channel secret (HS256), validating the issuer (https://access.line.me), audience (channel ID) and expiry. Web (authorization-code) flow only; native id_token sign-in is out of scope.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add LINE Login as an external OAuth provider. The user's profile (name, picture) and email are returned as claims in the OIDC ID token, so the provider reads them directly from the ID token instead of calling a separate userinfo endpoint.
Although LINE exposes an OIDC discovery document, it does not sign the ID token with the ES256/JWKS keys it advertises; it signs with HS256 using the channel secret. The ID token is therefore verified with the channel secret (HS256), validating the issuer (https://access.line.me), audience (channel ID) and expiry.
Web (authorization-code) flow only; native id_token sign-in is out of scope.
What kind of change does this PR introduce?
Feature — adds a new external authentication provider (
line).What is the current behavior?
There is no built-in LINE Login provider. Users who want "Sign in with LINE" have to build a custom workaround outside of Auth.
Related requests / tracking:
LINE is a primary login method in Japan (~95M MAU), Taiwan (~21M) and Thailand (~51M), so this fills a real gap for those markets.
What is the new behavior?
lineexternal provider using LINE Login v2.1 (web authorization-code flow).id_tokenfrom the token response.id_tokenwith HS256 using the channel secret (requiring an HMAC signing method), and validates the issuer (https://access.line.me), audience (channel ID) and expiry.sub,name,picture, andemailclaims into the user's identity/metadata — no separate userinfo request.emailclaim is only present once the user grants the email permission (LINE returns only verified emails); its absence is handled gracefully.GOTRUE_EXTERNAL_LINE_*settings (client id = channel ID, secret = channel secret).Additional context
id_tokensign-in is out of scope for this PR.external_line_test.go;make testpasses.