From 14d0ec44f63fc27cf45c9e43890b5255c196bf89 Mon Sep 17 00:00:00 2001
From: Jonathan Daggerhart <jonathan@daggerhart.com>
Date: Fri, 25 Nov 2016 14:54:14 -0500
Subject: [PATCH] Allow for the use of an alternate authentication route
 (redirect_uri) as opposed to the default admin-ajax method

---
 .../openid-connect-generic-client-wrapper.php | 28 +++++++++++++++++--
 .../openid-connect-generic-settings-page.php  | 13 ++++++++-
 openid-connect-generic.php                    | 10 +++++--
 3 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php
index a976b07..7a54afd 100644
--- a/includes/openid-connect-generic-client-wrapper.php
+++ b/includes/openid-connect-generic-client-wrapper.php
@@ -63,7 +63,14 @@ class OpenID_Connect_Generic_Client_Wrapper {
 			add_action( 'wp_ajax_openid-connect-authorize', array( $client_wrapper, 'authentication_request_callback' ) );
 			add_action( 'wp_ajax_nopriv_openid-connect-authorize', array( $client_wrapper, 'authentication_request_callback' ) );
 		}
-		
+
+		if ( $settings->alternate_redirect_uri ){
+			// provide an alternate route for authentication_request_callback
+			add_rewrite_rule( '^openid-connect-authorize/?', 'index.php?openid-connect-authorize=1', 'top' );
+			add_rewrite_tag( '%openid-connect-authorize%', '1' );
+			add_action( 'parse_request', array( $client_wrapper, 'alternate_redirect_uri_parse_request' ) );
+		}
+
 		// verify token for any logged in user
 		if ( is_user_logged_in() ) {
 			$client_wrapper->ensure_tokens_still_fresh();
@@ -72,6 +79,24 @@ class OpenID_Connect_Generic_Client_Wrapper {
 		return $client_wrapper;
 	}
 
+	/**
+	 * Implements WP action - parse_request
+	 * 
+	 * @param $query
+	 *
+	 * @return mixed
+	 */
+	function alternate_redirect_uri_parse_request( $query ){
+		if ( isset( $query->query_vars['openid-connect-authorize'] ) &&
+		     $query->query_vars['openid-connect-authorize'] === '1' )
+		{
+			$this->authentication_request_callback();
+			exit;
+		}
+
+		return $query;
+	}
+
 	/**
 	 * WP Hook for altering remote request timeout
 	 * 
@@ -259,7 +284,6 @@ class OpenID_Connect_Generic_Client_Wrapper {
 	 *  returning from the IDP.
 	 */
 	function authentication_request_callback() {
-		$settings = $this->settings;
 		$client = $this->client;
 		
 		// start the authentication flow
diff --git a/includes/openid-connect-generic-settings-page.php b/includes/openid-connect-generic-settings-page.php
index 06717e5..f3aa192 100644
--- a/includes/openid-connect-generic-settings-page.php
+++ b/includes/openid-connect-generic-settings-page.php
@@ -118,6 +118,12 @@ class OpenID_Connect_Generic_Settings_Page {
 				'type'        => 'checkbox',
 				'section'     => 'authorization_settings',
 			),
+			'alternate_redirect_uri'   => array(
+				'title'       => __( 'Alternate Redirect URI' ),
+				'description' => __( 'Provide an alternative redirect route. Useful if your server is causing issues with the default admin-ajax method. You must flush rewrite rules after changing this setting. This can be done by saving the Permalinks settings page.' ),
+				'type'        => 'checkbox',
+				'section'     => 'authorization_settings',
+			),
 			'link_existing_users'   => array(
 				'title'       => __( 'Link Existing Users' ),
 				'description' => __( 'If a WordPress account already exists with the same email address as a newly-authenticated user over OpenID Connect, login as that user instead of generating an error.' ),
@@ -280,6 +286,11 @@ class OpenID_Connect_Generic_Settings_Page {
 	 * Output the options/settings page
 	 */
 	public function settings_page() {
+		$redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
+
+		if ( $this->settings->alternate_redirect_uri ){
+			$redirect_uri = site_url( '/openid-connect-authorize' );
+		}
 		?>
 		<div class="wrap">
 			<h2><?php print esc_html( get_admin_page_title() ); ?></h2>
@@ -301,7 +312,7 @@ class OpenID_Connect_Generic_Settings_Page {
 
 			<p class="description">
 				<strong><?php _e( 'Redirect URI' ); ?></strong>
-				<code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code>
+				<code><?php print $redirect_uri; ?></code>
 			</p>
 			<p class="description">
 				<strong><?php _e( 'Login Button Shortcode' ); ?></strong>
diff --git a/openid-connect-generic.php b/openid-connect-generic.php
index 3b6383b..ed01f60 100644
--- a/openid-connect-generic.php
+++ b/openid-connect-generic.php
@@ -71,6 +71,12 @@ class OpenID_Connect_Generic {
 	 * WP Hook 'init'
 	 */
 	function init(){
+		$redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
+
+		if ( $this->settings->alternate_redirect_uri ){
+			$redirect_uri = site_url( '/openid-connect-authorize' );
+		}
+
 		$this->client = new OpenID_Connect_Generic_Client( 
 			$this->settings->client_id,
 			$this->settings->client_secret,
@@ -78,8 +84,7 @@ class OpenID_Connect_Generic {
 			$this->settings->endpoint_login,
 			$this->settings->endpoint_userinfo,
 			$this->settings->endpoint_token,
-			// redirect uri
-			admin_url( 'admin-ajax.php?action=openid-connect-authorize' )
+			$redirect_uri
 		);
 		
 		$this->client_wrapper = OpenID_Connect_Generic_Client_Wrapper::register( $this->client, $this->settings, $this->logger );
@@ -194,6 +199,7 @@ class OpenID_Connect_Generic {
 				
 				// plugin settings
 				'enforce_privacy' => 0,
+				'alternate_redirect_uri' => 0,
 				'link_existing_users' => 0,
 				'redirect_user_back' => 0,
 				'enable_logging'  => 0,