postiz-linkedin-patch

TL;DR: If you self-host Postiz and LinkedIn returns "Could not add provider" / a blank page during OAuth, this patch fixes it without needing the (now hard-to-get) Community Management API.

🇩🇪 Deutsche Version weiter unten

---

The problem

Postiz hardcodes a LinkedIn OAuth scope list that includes organization-level scopes even when you only want to connect a personal profile:

this.scopes = [
  'openid',
  'profile',
  'w_member_social',
  'r_basicprofile',          // deprecated
  'rw_organization_admin',   // requires Community Management API
  'w_organization_social',   // requires Community Management API
  'r_organization_social',   // requires Community Management API
];

Since 2024, LinkedIn requires the Community Management API product to grant the *_organization_* scopes — and that product cannot coexist with Sign In with LinkedIn + Share on LinkedIn in the same developer app ("This API product requires that it be the only product on the application for legal and security reasons").

Result: any first-time LinkedIn connect in a self-hosted Postiz fails silently with a blank LinkedIn page and Could not add provider in the UI.

Additionally, Postiz uses prompt=none in its OAuth URL, which causes LinkedIn to reject without showing a consent dialog whenever any scope is unauthorized.

Tracked upstream in gitroomhq/postiz-app#918.

What this patch does

Two minimal edits inside the running Postiz container:

1. Trim the scope list to only the three scopes covered by the standard Sign In with LinkedIn using OpenID Connect + Share on LinkedIn products:
   • openid
   • profile
   • w_member_social
2. Replace prompt=none with prompt=consent so first-time connects show LinkedIn's normal consent dialog.

After the patch you can connect a personal LinkedIn profile and post to it.

Trade-offs:

• Posting to a LinkedIn Page (Company Page) still doesn't work — that genuinely requires the Community Management API in a separate app, and Postiz currently only supports one set of LINKEDIN_CLIENT_ID/SECRET.
• The patch lives inside the running container only. docker compose up --force-recreate postiz or pulling a new image wipes it. Re-apply afterwards (the script is idempotent).

Prerequisites

• A Postiz self-host with LINKEDIN_CLIENT_ID and LINKEDIN_CLIENT_SECRET set (the Postiz docs cover this part)
• LinkedIn Developer App with these products active:
  • Sign In with LinkedIn using OpenID Connect
  • Share on LinkedIn
• LinkedIn App's Authorized redirect URLs include:
  • https://your-postiz-domain/integrations/social/linkedin
• Shell access to the host running the Postiz container

Apply the patch

curl -fsSL https://raw.githubusercontent.com/web-werkstatt/postiz-linkedin-patch/main/patch.sh | bash

Or, if you prefer to inspect first:

curl -fsSL -o patch.sh https://raw.githubusercontent.com/web-werkstatt/postiz-linkedin-patch/main/patch.sh
less patch.sh
bash patch.sh

By default the script targets a container named postiz. Override with:

POSTIZ_CONTAINER=my-postiz-name bash patch.sh

The script:

• Backs up each affected .js to *.bak inside the container
• Removes the four problematic scopes
• Replaces prompt=none with prompt=consent
• Restarts the container
• Verifies the patch is in place after restart

Verify it worked

In Postiz UI: hard-refresh the browser, then click LinkedIn (not "LinkedIn Page"). You should see LinkedIn's regular login/consent screen instead of a blank page.

Inspect the OAuth URL Postiz hands you off with — it must contain only:

scope=openid%20profile%20w_member_social

…and prompt=consent instead of prompt=none.

Rollback

If anything goes wrong:

docker exec postiz sh -c '
  for F in /app/apps/backend/dist/libraries/nestjs-libraries/src/integrations/social/linkedin.provider.js \
           /app/apps/orchestrator/dist/libraries/nestjs-libraries/src/integrations/social/linkedin.provider.js; do
    [ -f "$F.bak" ] && cp "$F.bak" "$F"
  done'
docker restart postiz

Tested with

• Postiz ghcr.io/gitroomhq/postiz-app:latest (pinned via tag in CHANGELOG)
• Patch verified on v2.21.7 (April 2026)

If you confirm it works (or doesn't) on another version, please open an issue.

Why not upstream?

The proper fix is upstream in Postiz: split the scope list per-channel (profile vs. page), and use prompt=consent for the first connect. Until that ships, this patch unblocks people who just want LinkedIn personal-profile posting without giving up on self-hosted Postiz.

License

MIT — see LICENSE.

---

Deutsch

Das Problem

Postiz fordert beim LinkedIn-OAuth immer alle Scopes an, auch Organization-Scopes — selbst wenn man nur ein persönliches Profil verbinden will. Seit 2024 verlangt LinkedIn dafür die Community Management API, die aber laut LinkedIn nicht zusammen mit "Sign In" + "Share on LinkedIn" in derselben Developer-App existieren darf.

Folge: Beim ersten LinkedIn-Connect bekommt jeder Postiz-Selfhoster eine weiße LinkedIn-Seite und "Could not add provider" im UI.

Was dieser Patch tut

Zwei minimale Änderungen im laufenden Postiz-Container:

1. Scope-Liste auf openid, profile, w_member_social reduzieren
2. prompt=none durch prompt=consent ersetzen

Danach funktioniert das Verbinden des persönlichen LinkedIn-Profils. Page-Posting bleibt offen — dafür bräuchte LinkedIn eine separate App + ein Postiz-Feature, das aktuell nicht existiert.

Anwendung

curl -fsSL https://raw.githubusercontent.com/web-werkstatt/postiz-linkedin-patch/main/patch.sh | bash

Achtung: Der Patch ist nur im laufenden Container. Nach docker compose up --force-recreate oder Image-Update neu anwenden.

Mitarbeit

Issues und PRs willkommen. Idealerweise zusätzlich auch im Postiz-Repo Issue #918 kommentieren, damit der eigentliche Upstream-Fix Zugkraft bekommt.