daggerhart/openid-connect-generic

OpenID Connect generic WordPress plugin.

OpenID Connect Generic Client

Contributors: daggerhart, tnolte
Donate link: http://www.daggerhart.com/
Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso
Requires at least: 5.0
Tested up to: 6.4.3
Stable tag: 3.10.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html, _(*1)

A simple client that provides SSO or opt-in authentication against a generic OAuth2 Server implementation., _(*2)

Description

This plugin allows to authenticate users against OpenID Connect OAuth2 API with Authorization Code Flow. Once installed, it can be configured to automatically authenticate users (SSO), or provide a "Login with OpenID Connect" button on the login form. After consent has been obtained, an existing user is automatically logged into WordPress, while new users are created in WordPress database., _(*3)

Much of the documentation can be found on the Settings > OpenID Connect Generic dashboard page., _(*4)

Please submit issues to the Github repo: https://github.com/daggerhart/openid-connect-generic, _(*5)

Installation

1. Upload to the /wp-content/plugins/ directory
2. Activate the plugin
3. Visit Settings > OpenID Connect and configure to meet your needs

Frequently Asked Questions

What is the client's Redirect URI?

Most OAuth2 servers will require whitelisting a set of redirect URIs for security purposes. The Redirect URI provided by this client is like so: https://example.com/wp-admin/admin-ajax.php?action=openid-connect-authorize, _(*6)

Replace example.com with your domain name and path to WordPress., _(*7)

Can I change the client's Redirect URI?

Some OAuth2 servers do not allow for a client redirect URI to contain a query string. The default URI provided by this module leverages WordPress's admin-ajax.php endpoint as an easy way to provide a route that does not include HTML, but this will naturally involve a query string. Fortunately, this plugin provides a setting that will make use of an alternate redirect URI that does not include a query string., _(*8)

On the settings page for this plugin (Dashboard > Settings > OpenID Connect Generic) there is a checkbox for Alternate Redirect URI. When checked, the plugin will use the Redirect URI https://example.com/openid-connect-authorize., _(*9)

Changelog

3.10.0

• Chore: @timnolte - Dependency updates.
• Fix: @drzraf - Prevents running the auth url filter twice.
• Fix: @timnolte - Updates the log cleanup handling to properly retain the configured number of log entries.
• Fix: @timnolte - Updates the log display output to reflect the log retention policy.
• Chore: @timnolte - Adds Unit Testing & New Local Development Environment.
• Feature: @timnolte - Updates logging to allow for tracking processing time.
• Feature: @menno-ll - Adds a remember me feature via a new filter.
• Improvement: @menno-ll - Updates WP Cookie Expiration to Same as Session Length.

3.9.1

• Improvement: @timnolte - Refactors Composer setup and GitHub Actions.
• Improvement: @timnolte - Bumps WordPress tested version compatibility.

3.9.0

• Feature: @matchaxnb - Added support for additional configuration constants.
• Feature: @schanzen - Added support for agregated claims.
• Fix: @rkcreation - Fixed access token not updating user metadata after login.
• Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
• Feature: @RobjS - Added plugin singleton to support for more developer customization.
• Feature: @jkouris - Added action hook to allow custom handling of session expiration.
• Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
• Feature: @rkcreation - Added method to refresh the user claim.
• Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
• Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
• Fix: @slykar - Fixed missing query string handling in redirect URL.
• Fix: @timnolte - Fixed issue with some user linking and user creation handling.
• Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
• Security: @timnolte - Updated build tooling security vulnerabilities.
• Improvement: @timnolte - Changed build tooling scripts.

3.8.5

• Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
• Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
• Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.

3.8.4

• Fix: @timnolte - Fixed invalid State object access for redirection handling.
• Improvement: @timnolte - Fixed local wp-env Docker development environment.
• Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.

3.8.3

• Fix: @timnolte - Fixed problems with proper redirect handling.
• Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
• Improvement: @timnolte - Refactored additional code to meet coding standards.

3.8.2

• Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.

3.8.1

• Fix: @timnolte - Prevent SSO redirect on password protected posts.
• Fix: @timnolte - CI/CD build issues.
• Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.

3.8.0

• Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
• Improvement: @timnolte - Plugin development & contribution updates.
• Improvement: @timnolte - Refactored to meet WordPress coding standards.
• Improvement: @timnolte - Refactored to provide localization.

See the previous changelogs here, _(*10)