From 1c8a9d166c7e0ffa8e3c52080a872ec64150e412 Mon Sep 17 00:00:00 2001
From: Tim Nolte <tnolte@forumone.com>
Date: Tue, 11 Aug 2020 00:14:34 -0400
Subject: [PATCH] Adds Option to Enable/Disable Token Refresh.

* Adds a new plugin setting.
* Adds a check and doesn't create cookie for refresh token if not
  enabled.
* Fixes code formatting.

Fixes #144
---
 includes/openid-connect-generic-client-wrapper.php | 3 +++
 includes/openid-connect-generic-settings-page.php  | 6 ++++++
 openid-connect-generic.php                         | 1 +
 3 files changed, 10 insertions(+)

diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php
index b44fb66..3ce53b5 100644
--- a/includes/openid-connect-generic-client-wrapper.php
+++ b/includes/openid-connect-generic-client-wrapper.php
@@ -455,6 +455,9 @@ class OpenID_Connect_Generic_Client_Wrapper {
 	 * @param $token_response
 	 */
 	function save_refresh_token( $manager, $token, $token_response ) {
+		if ( ! $this->settings->token_refresh_enable ) {
+			return;
+		}
 		$session = $manager->get($token);
 		$now = current_time( 'timestamp' , true );
 		$session[$this->cookie_token_refresh_key] = array(
diff --git a/includes/openid-connect-generic-settings-page.php b/includes/openid-connect-generic-settings-page.php
index 36f37ca..20fd327 100644
--- a/includes/openid-connect-generic-settings-page.php
+++ b/includes/openid-connect-generic-settings-page.php
@@ -161,6 +161,12 @@ class OpenID_Connect_Generic_Settings_Page {
 				'type'        => 'number',
 				'section'     => 'client_settings',
 			),
+			'token_refresh_enable'   => array(
+				'title'       => __( 'Enable Refresh Token' ),
+				'description' => __( 'If checked, support refresh tokens used to obtain access tokens from supported IDPs.' ),
+				'type'        => 'checkbox',
+				'section'     => 'client_settings',
+			),
 			'link_existing_users'   => array(
 				'title'       => __( 'Link Existing Users' ),
 				'description' => __( 'If a WordPress account already exists with the same identity as a newly-authenticated user over OpenID Connect, login as that user instead of generating an error.' ),
diff --git a/openid-connect-generic.php b/openid-connect-generic.php
index f9e479a..d2ec7c3 100644
--- a/openid-connect-generic.php
+++ b/openid-connect-generic.php
@@ -277,6 +277,7 @@ class OpenID_Connect_Generic {
 				// plugin settings
 				'enforce_privacy' => 0,
 				'alternate_redirect_uri' => 0,
+				'token_refresh_enable' => 1,
 				'link_existing_users' => 0,
 				'redirect_user_back' => 0,
 				'redirect_on_logout' => 1,