isekai-openid-connect-generic/CHANGELOG.md

# OpenId Connect Generic Changelog

3.8.4
* Fix: @timnolte - Fixed invalid State object access for redirection handling.
* Improvement: @timnolte - Fixed local wp-env Docker development environment.
* Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.

3.8.3

* Fix: @timnolte - Fixed problems with proper redirect handling.
* Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
* Improvement: @timnolte - Refactored additional code to meet coding standards.

3.8.2

* Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.

3.8.1

* Fix: @timnolte - Prevent SSO redirect on password protected posts.
* Fix: @timnolte - CI/CD build issues.
* Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.

3.8.0

* Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
* Improvement: @timnolte - NPM version requirements for development.
* Improvement: @timnolte - Travis CI build fixes.
* Improvement: @timnolte - GrumPHP configuration updates for code contributions.
* Improvement: @timnolte - Refactored to meet WordPress coding standards.
* Improvement: @timnolte - Refactored to provide localization.
* Improvement: @timnolte - Refactored to provide a Docker-based local development environment.

3.7.1

* Fix: Release Version Number.

3.7.0

* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
  - Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`.

3.6.0

* Improvement: @RobjS - Improved error messages during login state failure.
* Improvement: @RobjS - New developer filter for login form button URL.
* Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
* Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
* Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
* Improvement: @flat235 - Username transliteration and normalization.

3.5.1

* Fix: @daggerhart - New approach to state management using transients.

3.5.0

* Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
* Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
* Feature: @gassan - New action on use login
* Fix: @daggerhart - Avoid double question marks in auth url query string
* Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
* Syntax change: @mullikine - Change PHP keywords to comply with PSR2

**3.4.1**

* Minor documentation update and additional error checking.

**3.4.0**

* Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
* Feature: @anttileppa - State time limit can now be changed on the settings page.
* Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
* Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url 

**3.3.1**

* Prefixing classes for more efficient autoloading.
* Avoid altering global wp_remote_post() parameters.
* Minor metadata updates for wp.org

**3.3.0**

* Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51

**3.2.1**

* Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46

**3.2.0**

* Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
* Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
* Feature: New setting to set redirect URL when session expires.
* Feature: @robbiepaul - New filter for modifying authentication URL
* Fix: @cedrox - Adding id_token_hint to logout URL according to spec
* Bug fix: Provide port to the request header when requesting the user_claim

**3.1.0**

* Feature: @rwasef1830 - Refresh tokens 
* Feature: @rwasef1830 - Integrated logout support with end_session endpoint
* Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
* Feature: @ahatherly - Support for IDP behind reverse proxy
* Bug fix: @robertstaddon - case insensitive check for Bearer token
* Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
* Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
* Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
* UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso

**3.0.8**

* Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
  to take action using the fresh claims received when an existing user logs in.

**3.0.7**

* Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in 
section 5.3.1 of the specs. 

**3.0.6**

* Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials

**3.0.5**

* Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
* Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.

**3.0.4**

* Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login

**3.0.3**

* Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
* Bug fix: Incrementing username in case of collision.
* Bug fix: Wrong error sent when missing token body

**3.0.2**

* Added http_request_timeout setting

**3.0.1**

* Finalizing 3.0.x api

**3.0**

* Complete rewrite to separate concerns
* Changed settings keys for clarity (requires updating settings if upgrading from another version)
* Error logging

**2.1**

* Working my way closer to spec. Possible breaking change.  Now checking for preferred_username as priority.
* New username determination to avoid collisions

**2.0**

Complete rewrite
breaking out changelog into its own file, providing attribution to users that have helped with issues and prs 8 years ago			`# OpenId Connect Generic Changelog`

Squashed commit of the following: commit 39690e125092ff1392326a7738a6a815a41f0880 Author: Tim Nolte <tim.nolte@ndigitals.com> Date: Sat Apr 10 16:41:14 2021 -0400 Preparation for New Maintenance Release - Updates Version to 3.8.4. - Updates Changelogs. commit 1e1b84cfcc3338b0f37ec4fd995f77c0e061ec43 Author: Tim Nolte <tnolte@forumone.com> Date: Sat Apr 10 12:00:40 2021 -0400 Local Dev/Composer Scripts/Transient Redirection Fixes (#295) - Fixes local Docker wp-env environment setup w/ cleanup. - Fixes Composer scripts for linting and static analysis. - Fixes invalid State transient object handling for redirection. commit 40e60474abc52f60c4e5a76080703f99d733ceea Author: Tim Nolte <tnolte@forumone.com> Date: Thu Apr 8 22:10:53 2021 -0400 Preparation for Maintenance Release (#291) commit 8a963301abed0be8791e1c9a11432b0088d76fc0 Author: Tim Nolte <tnolte@forumone.com> Date: Thu Apr 8 08:06:33 2021 -0400 Fixes Broken Redirect URL Handling & Moves Away from Cookies (#289) * Initial Changes to Move Away from Cookies for Redirects * Add Redirection via State Transient Support - Adds adding the login redirection to the state transient. - Deprecates the use of cookies to handle login redirection. - Fixes Login button shortcode authentication URL encoding. - Fixes some broken wp-env local Docker environment issues. - Fixes make_authentication_url attributes usage. - Removes error_log calls used for debugging. * Fixes Missed WordPress Coding Standards Issues - Updates PHP_CodeSniffer configuration to properly support all checks. * Fixes Login Button Output for Proper Escaping commit c839083cf1ef4db34f5c30e8758179de73fc53db Merge: 76c824a 14dbc06 Author: Tim Nolte <tnolte@forumone.com> Date: Wed Mar 24 10:10:09 2021 -0400 Merges branch 'main' into dev commit 76c824ab32db6fc30c06b3ff3d7a250564ad4369 Author: Tim Nolte <tnolte@forumone.com> Date: Wed Mar 24 09:42:51 2021 -0400 Fixes Login Page XSS Issue (#283) - Adds escaping to the errot output message. - Adds escaping to the login button output. commit 2c7c21d3bbbeb7049867482a8453bf7a81ee4a4c Author: Tim Nolte <tnolte@forumone.com> Date: Mon Mar 22 12:53:01 2021 -0400 Feature/travis ci to GitHub actions (#282) * Updates Composer/NPM Dependencies & Adds New GitHub Actions * Moves All CI/CI Functionality to GitHub Actions - Updates Composer & NPM dependencies to newer versions. - Updates default development environment WordPress version to 5.6.x. - Fixes missing updated to the language POT file. - Moves to using a GitHub Release for WordPress.org deployment. - Removes TravisCI configuration. 4 years ago			`3.8.4`
			`* Fix: @timnolte - Fixed invalid State object access for redirection handling.`
			`* Improvement: @timnolte - Fixed local wp-env Docker development environment.`
			`* Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.`

Release/3.8.3 (#290) * Feature/travis ci to GitHub actions (#282) * Updates Composer/NPM Dependencies & Adds New GitHub Actions * Moves All CI/CI Functionality to GitHub Actions - Updates Composer & NPM dependencies to newer versions. - Updates default development environment WordPress version to 5.6.x. - Fixes missing updated to the language POT file. - Moves to using a GitHub Release for WordPress.org deployment. - Removes TravisCI configuration. * Fixes Login Page XSS Issue (#283) - Adds escaping to the errot output message. - Adds escaping to the login button output. * Fixes Broken Redirect URL Handling & Moves Away from Cookies (#289) * Initial Changes to Move Away from Cookies for Redirects * Add Redirection via State Transient Support - Adds adding the login redirection to the state transient. - Deprecates the use of cookies to handle login redirection. - Fixes Login button shortcode authentication URL encoding. - Fixes some broken wp-env local Docker environment issues. - Fixes make_authentication_url attributes usage. - Removes error_log calls used for debugging. * Fixes Missed WordPress Coding Standards Issues - Updates PHP_CodeSniffer configuration to properly support all checks. * Fixes Login Button Output for Proper Escaping * Preparation for Maintenance Release 4 years ago			`3.8.3`

			`* Fix: @timnolte - Fixed problems with proper redirect handling.`
			`* Improvement: @timnolte - Changes redirect handling to use State instead of cookies.`
			`* Improvement: @timnolte - Refactored additional code to meet coding standards.`

3.8.2 Security Release (#284) * Feature/travis ci to GitHub actions (#282) * Updates Composer/NPM Dependencies & Adds New GitHub Actions * Moves All CI/CI Functionality to GitHub Actions - Updates Composer & NPM dependencies to newer versions. - Updates default development environment WordPress version to 5.6.x. - Fixes missing updated to the language POT file. - Moves to using a GitHub Release for WordPress.org deployment. - Removes TravisCI configuration. * Fixes Login Page XSS Issue (#283) - Adds escaping to the errot output message. - Adds escaping to the login button output. * Patch Version Bump & Changelog Updates for Release 4 years ago			`3.8.2`

			`* Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.`

Fixes Post Password Redirects & TravisCI Builds (#259) - Fixes an issue with post password submission results in SSO authentication when "auto" mode is enabled. - Fixes issues with TravisCI builds failing due to Composer updates occurring incorrectly during builds. - Fixes to allow for WP version changes according to build matrix. - Updates TravisCI build matrix. 4 years ago			`3.8.1`

			`* Fix: @timnolte - Prevent SSO redirect on password protected posts.`
			`* Fix: @timnolte - CI/CD build issues.`
Logout Redirect URL Handling for Auto Login Setting & TravisCI Matrix Build Changes (#261) - Fixes #260 by changing conditional check for logout redirect URL handling for Auto Login setting. - Limits TravisCI matrix builds for pull requests & feature/fix branches. 4 years ago			`* Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.`
Fixes Post Password Redirects & TravisCI Builds (#259) - Fixes an issue with post password submission results in SSO authentication when "auto" mode is enabled. - Fixes issues with TravisCI builds failing due to Composer updates occurring incorrectly during builds. - Fixes to allow for WP version changes according to build matrix. - Updates TravisCI build matrix. 4 years ago
Updates Changelog & README Files With Relevant Changes 4 years ago			`3.8.0`

			`* Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.`
			`* Improvement: @timnolte - NPM version requirements for development.`
			`* Improvement: @timnolte - Travis CI build fixes.`
			`* Improvement: @timnolte - GrumPHP configuration updates for code contributions.`
			`* Improvement: @timnolte - Refactored to meet WordPress coding standards.`
			`* Improvement: @timnolte - Refactored to provide localization.`
			`* Improvement: @timnolte - Refactored to provide a Docker-based local development environment.`

Fix Plugin Version Number in Header for New Release. 4 years ago			`3.7.1`

			`* Fix: Release Version Number.`

Prepare version 3.7.0 for release. 5 years ago			`3.7.0`

			`* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.`
			* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
			- Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`.

			`3.6.0`

			`* Improvement: @RobjS - Improved error messages during login state failure.`
			`* Improvement: @RobjS - New developer filter for login form button URL.`
			`* Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.`
			`* Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.`
			`* Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.`
			`* Improvement: @flat235 - Username transliteration and normalization.`

			`3.5.1`

			`* Fix: @daggerhart - New approach to state management using transients.`

			`3.5.0`

			`* Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text`
			`* Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php`
			`* Feature: @gassan - New action on use login`
			`* Fix: @daggerhart - Avoid double question marks in auth url query string`
			`* Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules`
			`* Syntax change: @mullikine - Change PHP keywords to comply with PSR2`

Additional readme updates 6 years ago			`3.4.1`

			`* Minor documentation update and additional error checking.`

version update along with readmes. new composer.json to place on packagist 7 years ago			`3.4.0`

			`* Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.`
			`* Feature: @anttileppa - State time limit can now be changed on the settings page.`
			`* Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.`
			`* Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url`

			`3.3.1`

			`* Prefixing classes for more efficient autoloading.`
			`* Avoid altering global wp_remote_post() parameters.`
			`* Minor metadata updates for wp.org`

incrementing to 3.3.x, updating readmes and changelog 7 years ago			`3.3.0`

			* Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51

			`3.2.1`

			`* Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46`

breaking out changelog into its own file, providing attribution to users that have helped with issues and prs 8 years ago			`3.2.0`

			* Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
readme and changelog updates. minor whitespace update. 7 years ago			`* Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.`
			`* Feature: New setting to set redirect URL when session expires.`
			`* Feature: @robbiepaul - New filter for modifying authentication URL`
			`* Fix: @cedrox - Adding id_token_hint to logout URL according to spec`
breaking out changelog into its own file, providing attribution to users that have helped with issues and prs 8 years ago			`* Bug fix: Provide port to the request header when requesting the user_claim`

			`3.1.0`

			`* Feature: @rwasef1830 - Refresh tokens`
			`* Feature: @rwasef1830 - Integrated logout support with end_session endpoint`
			`* Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax`
			`* Feature: @ahatherly - Support for IDP behind reverse proxy`
			`* Bug fix: @robertstaddon - case insensitive check for Bearer token`
			`* Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue`
			`* Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message`
			`* Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found`
			`* UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso`

			`3.0.8`

			* Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
			`to take action using the fresh claims received when an existing user logs in.`

			`3.0.7`

			`* Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in`
			`section 5.3.1 of the specs.`

			`3.0.6`

			`* Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials`

			`3.0.5`

			* Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
			`* Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.`

			`3.0.4`

			`* Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login`

			`3.0.3`

			`* Using WordPresss's is_ssl() for setcookie()'s "secure" parameter`
			`* Bug fix: Incrementing username in case of collision.`
			`* Bug fix: Wrong error sent when missing token body`

			`3.0.2`

			`* Added http_request_timeout setting`

			`3.0.1`

			`* Finalizing 3.0.x api`

			`3.0`

			`* Complete rewrite to separate concerns`
			`* Changed settings keys for clarity (requires updating settings if upgrading from another version)`
			`* Error logging`

			`2.1`

			`* Working my way closer to spec. Possible breaking change. Now checking for preferred_username as priority.`
			`* New username determination to avoid collisions`

			`2.0`

			`Complete rewrite`