From 65051b75a861baada8c8ce659a9e04788a38ca47 Mon Sep 17 00:00:00 2001 From: Tim Nolte Date: Tue, 11 Aug 2020 11:23:35 -0400 Subject: [PATCH 1/5] Add Redirect & Override Attributes Support to Shortcodes. * Adds support for setting the redirect cookie when shortcodes are used. * Adds support for overriding some attributes for authentication URLs and login buttons when using the shortcodes. * Fixes code formatting. --- .../openid-connect-generic-client-wrapper.php | 15 +++++++++++++-- includes/openid-connect-generic-client.php | 18 +++++++++++++----- includes/openid-connect-generic-login-form.php | 14 +++++++++++--- 3 files changed, 37 insertions(+), 10 deletions(-) diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php index b44fb66..ac9cb1e 100644 --- a/includes/openid-connect-generic-client-wrapper.php +++ b/includes/openid-connect-generic-client-wrapper.php @@ -97,10 +97,21 @@ class OpenID_Connect_Generic_Client_Wrapper { /** * Get the authentication url from the client * + * @param array $atts The optional attributes array when called via a shortcode. + * * @return string */ - function get_authentication_url(){ - return $this->client->make_authentication_url(); + function get_authentication_url( $atts = array() ){ + + if ( ! empty( $atts['redirect_to'] ) ) { + // Set the request query parameter used to set the cookie redirect. + $_REQUEST['redirect_to'] = $atts['redirect_to']; + $login_form = new OpenID_Connect_Generic_Login_Form( $this->settings, $this ); + $login_form->handle_redirect_cookie(); + } + + return $this->client->make_authentication_url( $atts ); + } /** diff --git a/includes/openid-connect-generic-client.php b/includes/openid-connect-generic-client.php index 9b547a0..20c8707 100644 --- a/includes/openid-connect-generic-client.php +++ b/includes/openid-connect-generic-client.php @@ -45,20 +45,28 @@ class OpenID_Connect_Generic_Client { /** * Create a single use authentication url * + * @param array $atts An optional array of override/feature attributes. + * * @return string */ - function make_authentication_url() { + function make_authentication_url( $atts = array() ) { + + $endpoint_login = ( ! empty( $atts['endpoint_login'] ) ) ? $atts['endpoint_login'] : $this->endpoint_login; + $scope = ( ! empty( $atts['scope'] ) ) ? $atts['scope'] : $this->scope; + $client_id = ( ! empty( $atts['client_id'] ) ) ? $atts['client_id'] : $this->client_id; + $redirect_uri = ( ! empty( $atts['redirect_uri'] ) ) ? $atts['redirect_uri'] : $this->redirect_uri; + $separator = '?'; if ( stripos( $this->endpoint_login, '?' ) !== FALSE ) { $separator = '&'; } $url = sprintf( '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s', - $this->endpoint_login, + $endpoint_login, $separator, - rawurlencode( $this->scope ), - rawurlencode( $this->client_id ), + rawurlencode( $scope ), + rawurlencode( $client_id ), $this->new_state(), - rawurlencode( $this->redirect_uri ) + rawurlencode( $redirect_uri ) ); $this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' ); diff --git a/includes/openid-connect-generic-login-form.php b/includes/openid-connect-generic-login-form.php index db9b7ca..6474549 100644 --- a/includes/openid-connect-generic-login-form.php +++ b/includes/openid-connect-generic-login-form.php @@ -128,12 +128,20 @@ class OpenID_Connect_Generic_Login_Form { /** * Create a login button (link) + * + * @param array $atts Array of optional attributes to override login buton + * functionality when used by shortcode. * * @return string */ - function make_login_button() { - $text = apply_filters( 'openid-connect-generic-login-button-text', __( 'Login with OpenID Connect' ) ); - $href = $this->client_wrapper->get_authentication_url(); + function make_login_button( $atts = array() ) { + $button_text = __( 'Login with OpenID Connect' ); + if ( ! empty( $atts['button_text'] ) ) { + $button_text = $atts['button_text']; + } + + $text = apply_filters( 'openid-connect-generic-login-button-text', $button_text ); + $href = $this->client_wrapper->get_authentication_url( $atts ); ob_start(); ?> From 1c8a9d166c7e0ffa8e3c52080a872ec64150e412 Mon Sep 17 00:00:00 2001 From: Tim Nolte Date: Tue, 11 Aug 2020 00:14:34 -0400 Subject: [PATCH 2/5] Adds Option to Enable/Disable Token Refresh. * Adds a new plugin setting. * Adds a check and doesn't create cookie for refresh token if not enabled. * Fixes code formatting. Fixes #144 --- includes/openid-connect-generic-client-wrapper.php | 3 +++ includes/openid-connect-generic-settings-page.php | 6 ++++++ openid-connect-generic.php | 1 + 3 files changed, 10 insertions(+) diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php index b44fb66..3ce53b5 100644 --- a/includes/openid-connect-generic-client-wrapper.php +++ b/includes/openid-connect-generic-client-wrapper.php @@ -455,6 +455,9 @@ class OpenID_Connect_Generic_Client_Wrapper { * @param $token_response */ function save_refresh_token( $manager, $token, $token_response ) { + if ( ! $this->settings->token_refresh_enable ) { + return; + } $session = $manager->get($token); $now = current_time( 'timestamp' , true ); $session[$this->cookie_token_refresh_key] = array( diff --git a/includes/openid-connect-generic-settings-page.php b/includes/openid-connect-generic-settings-page.php index 36f37ca..20fd327 100644 --- a/includes/openid-connect-generic-settings-page.php +++ b/includes/openid-connect-generic-settings-page.php @@ -161,6 +161,12 @@ class OpenID_Connect_Generic_Settings_Page { 'type' => 'number', 'section' => 'client_settings', ), + 'token_refresh_enable' => array( + 'title' => __( 'Enable Refresh Token' ), + 'description' => __( 'If checked, support refresh tokens used to obtain access tokens from supported IDPs.' ), + 'type' => 'checkbox', + 'section' => 'client_settings', + ), 'link_existing_users' => array( 'title' => __( 'Link Existing Users' ), 'description' => __( 'If a WordPress account already exists with the same identity as a newly-authenticated user over OpenID Connect, login as that user instead of generating an error.' ), diff --git a/openid-connect-generic.php b/openid-connect-generic.php index f9e479a..d2ec7c3 100644 --- a/openid-connect-generic.php +++ b/openid-connect-generic.php @@ -277,6 +277,7 @@ class OpenID_Connect_Generic { // plugin settings 'enforce_privacy' => 0, 'alternate_redirect_uri' => 0, + 'token_refresh_enable' => 1, 'link_existing_users' => 0, 'redirect_user_back' => 0, 'redirect_on_logout' => 1, From 107a066bd5de1d1d42bc5190be010ba4b5e40307 Mon Sep 17 00:00:00 2001 From: Tim Nolte Date: Tue, 11 Aug 2020 11:23:35 -0400 Subject: [PATCH 3/5] Add Redirect & Override Attributes Support to Shortcodes. * Adds support for setting the redirect cookie when shortcodes are used. * Adds support for overriding some attributes for authentication URLs and login buttons when using the shortcodes. * Fixes code formatting. --- .../openid-connect-generic-client-wrapper.php | 15 +++++++++++++-- includes/openid-connect-generic-client.php | 18 +++++++++++++----- includes/openid-connect-generic-login-form.php | 14 +++++++++++--- 3 files changed, 37 insertions(+), 10 deletions(-) diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php index 6941dcb..b662a77 100644 --- a/includes/openid-connect-generic-client-wrapper.php +++ b/includes/openid-connect-generic-client-wrapper.php @@ -95,11 +95,22 @@ class OpenID_Connect_Generic_Client_Wrapper { /** * Get the authentication url from the client + * + * @param array $atts The optional attributes array when called via a shortcode. * * @return string */ - function get_authentication_url(){ - return $this->client->make_authentication_url(); + function get_authentication_url( $atts = array() ){ + + if ( ! empty( $atts['redirect_to'] ) ) { + // Set the request query parameter used to set the cookie redirect. + $_REQUEST['redirect_to'] = $atts['redirect_to']; + $login_form = new OpenID_Connect_Generic_Login_Form( $this->settings, $this ); + $login_form->handle_redirect_cookie(); + } + + return $this->client->make_authentication_url( $atts ); + } /** diff --git a/includes/openid-connect-generic-client.php b/includes/openid-connect-generic-client.php index 100d3a1..0c4bcac 100644 --- a/includes/openid-connect-generic-client.php +++ b/includes/openid-connect-generic-client.php @@ -45,20 +45,28 @@ class OpenID_Connect_Generic_Client { /** * Create a single use authentication url * + * @param array $atts An optional array of override/feature attributes. + * * @return string */ - function make_authentication_url() { + function make_authentication_url( $atts = array() ) { + + $endpoint_login = ( ! empty( $atts['endpoint_login'] ) ) ? $atts['endpoint_login'] : $this->endpoint_login; + $scope = ( ! empty( $atts['scope'] ) ) ? $atts['scope'] : $this->scope; + $client_id = ( ! empty( $atts['client_id'] ) ) ? $atts['client_id'] : $this->client_id; + $redirect_uri = ( ! empty( $atts['redirect_uri'] ) ) ? $atts['redirect_uri'] : $this->redirect_uri; + $separator = '?'; if ( stripos( $this->endpoint_login, '?' ) !== FALSE ) { $separator = '&'; } $url = sprintf( '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s', - $this->endpoint_login, + $endpoint_login, $separator, - rawurlencode( $this->scope ), - rawurlencode( $this->client_id ), + rawurlencode( $scope ), + rawurlencode( $client_id ), $this->new_state(), - rawurlencode( $this->redirect_uri ) + rawurlencode( $redirect_uri ) ); $this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' ); diff --git a/includes/openid-connect-generic-login-form.php b/includes/openid-connect-generic-login-form.php index 6ef9174..6474549 100644 --- a/includes/openid-connect-generic-login-form.php +++ b/includes/openid-connect-generic-login-form.php @@ -128,12 +128,20 @@ class OpenID_Connect_Generic_Login_Form { /** * Create a login button (link) + * + * @param array $atts Array of optional attributes to override login buton + * functionality when used by shortcode. * * @return string */ - function make_login_button() { - $text = apply_filters( 'openid-connect-generic-login-button-text', __( 'Login with OpenID Connect' ) ); - $href = apply_filters( 'openid-connect-generic-login-button-url', $this->client_wrapper->get_authentication_url() ); + function make_login_button( $atts = array() ) { + $button_text = __( 'Login with OpenID Connect' ); + if ( ! empty( $atts['button_text'] ) ) { + $button_text = $atts['button_text']; + } + + $text = apply_filters( 'openid-connect-generic-login-button-text', $button_text ); + $href = $this->client_wrapper->get_authentication_url( $atts ); ob_start(); ?> From 5464276cd41558e95f1bd083fe2752487fa75e9f Mon Sep 17 00:00:00 2001 From: Tim Nolte Date: Tue, 11 Aug 2020 21:46:25 -0400 Subject: [PATCH 4/5] Prepare version 3.7.0 for release. --- changelog.md | 29 ++++++++++++++++++++++++++++- composer.json | 7 ++++++- openid-connect-generic.php | 36 ++++++++++++++++++++++++++---------- readme.txt | 13 ++++++++++--- 4 files changed, 70 insertions(+), 15 deletions(-) diff --git a/changelog.md b/changelog.md index 4161c46..902dd80 100644 --- a/changelog.md +++ b/changelog.md @@ -1,6 +1,33 @@ - # OpenId Connect Generic Changelog +3.7.0 + +* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh. +* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes. + - Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`. + +3.6.0 + +* Improvement: @RobjS - Improved error messages during login state failure. +* Improvement: @RobjS - New developer filter for login form button URL. +* Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled. +* Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows. +* Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts. +* Improvement: @flat235 - Username transliteration and normalization. + +3.5.1 + +* Fix: @daggerhart - New approach to state management using transients. + +3.5.0 + +* Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text +* Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php +* Feature: @gassan - New action on use login +* Fix: @daggerhart - Avoid double question marks in auth url query string +* Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules +* Syntax change: @mullikine - Change PHP keywords to comply with PSR2 + **3.4.1** * Minor documentation update and additional error checking. diff --git a/composer.json b/composer.json index ea542b3..132bfef 100644 --- a/composer.json +++ b/composer.json @@ -9,6 +9,11 @@ "name": "Jonathan Daggerhart", "email": "jonathan@daggerhart.com", "homepage": "https://github.com/daggerhart" + }, + { + "name": "Tim Nolte", + "email": "tim.nolte@ndigitals.com", + "homepage": "https://github.com/timnolte" } ], "keywords": [ @@ -19,7 +24,7 @@ "issues": "https://github.com/daggerhart/openid-connect-generic/issues" }, "require": { - "php": ">=5.3.3", + "php": ">=5.6.0", "composer/installers": "~1.0" } } diff --git a/openid-connect-generic.php b/openid-connect-generic.php index b7fa99f..37ada5f 100644 --- a/openid-connect-generic.php +++ b/openid-connect-generic.php @@ -1,13 +1,29 @@ + * @author Tim Nolte + * @copyright 2015-2020 daggerhart + * @license http://www.gnu.org/licenses/gpl-2.0.txt GPL-2.0+ + * @link https://github.com/daggerhart + * + * @wordpress-plugin + * Plugin Name: OpenID Connect Generic + * Plugin URI: https://github.com/daggerhart/openid-connect-generic + * Description: Connect to an OpenID Connect generic client using Authorization Code Flow. + * Version: 3.6.0 + * Author: daggerhart + * Author URI: http://www.daggerhart.com + * License: GPL-2.0+ + * License URI: http://www.gnu.org/licenses/gpl-2.0.txt + * GitHub Plugin URI: https://github.com/daggerhart/openid-connect-generic + */ /* Notes @@ -50,7 +66,7 @@ Notes class OpenID_Connect_Generic { // plugin version - const VERSION = '3.6.0'; + const VERSION = '3.7.0'; // plugin settings private $settings; diff --git a/readme.txt b/readme.txt index 93da2f8..f07bef0 100644 --- a/readme.txt +++ b/readme.txt @@ -1,10 +1,11 @@ === OpenID Connect Generic Client === -Contributors: daggerhart +Contributors: daggerhart, tnolte Donate link: http://www.daggerhart.com/ Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso -Requires at least: 4 -Tested up to: 5.2.2 +Requires at least: 4.9 +Tested up to: 5.4.2 Stable tag: trunk +Requires PHP: 5.6 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -50,6 +51,12 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene == Changelog == += 3.7.0 = + +* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh. +* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes. + - Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`. + = 3.6.0 = * Improvement: @RobjS - Improved error messages during login state failure. From bfa31bf983224bd553347b1e8306ff46c58af360 Mon Sep 17 00:00:00 2001 From: Tim Nolte Date: Tue, 11 Aug 2020 21:50:45 -0400 Subject: [PATCH 5/5] Fix GitHub Deployment Action for `main` Branch Deployments. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9c26942..6ea9048 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,7 +8,7 @@ jobs: name: New tag runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@main # - name: Validate composer.json and composer.lock # run: composer validate