|
|
|
@ -14,9 +14,14 @@ Notes
|
|
|
|
Spec Doc - http://openid.net/specs/openid-connect-basic-1_0-32.html
|
|
|
|
Spec Doc - http://openid.net/specs/openid-connect-basic-1_0-32.html
|
|
|
|
|
|
|
|
|
|
|
|
Filters
|
|
|
|
Filters
|
|
|
|
- openid-connect-generic-alter-request - 3 args: request array, plugin settings, specific request op
|
|
|
|
- openid-connect-generic-alter-request - 3 args: request array, plugin settings, specific request op
|
|
|
|
- openid-connect-generic-settings-fields - modify the fields provided on the settings page
|
|
|
|
- openid-connect-generic-settings-fields - modify the fields provided on the settings page
|
|
|
|
- openid-connect-generic-login-button-text - modify the login button text
|
|
|
|
- openid-connect-generic-login-button-text - modify the login button text
|
|
|
|
|
|
|
|
- openid-connect-generic-user-login-test - (bool) should the user be logged in based on their claim
|
|
|
|
|
|
|
|
- openid-connect-generic-user-creation-test - (bool) should the user be created based on their claim
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Actions
|
|
|
|
|
|
|
|
- openid-connect-generic-user-create - 2 args: fires when a new user is created by this plugin
|
|
|
|
|
|
|
|
|
|
|
|
User Meta
|
|
|
|
User Meta
|
|
|
|
- openid-connect-generic-user - (bool) if the user was created by this plugin
|
|
|
|
- openid-connect-generic-user - (bool) if the user was created by this plugin
|
|
|
|
@ -26,13 +31,8 @@ Notes
|
|
|
|
|
|
|
|
|
|
|
|
Options
|
|
|
|
Options
|
|
|
|
- openid_connect_generic_settings - plugin settings
|
|
|
|
- openid_connect_generic_settings - plugin settings
|
|
|
|
- openid-connect-generic-valid-states - locally stored generated states
|
|
|
|
- openid-connect-generic-valid-states - locally stored generated states
|
|
|
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
// - authentication is identifying the user
|
|
|
|
|
|
|
|
// - authorization is providing access & permission
|
|
|
|
|
|
|
|
// The id_token is used to identify the authenticated user, e.g. for SSO.
|
|
|
|
|
|
|
|
// The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
define( 'OPENID_CONNECT_GENERIC_DIR', dirname( __FILE__ ) );
|
|
|
|
define( 'OPENID_CONNECT_GENERIC_DIR', dirname( __FILE__ ) );
|
|
|
|
define( 'OPENID_CONNECT_GENERIC_SETTINGS_NAME', 'openid_connect_generic_settings' );
|
|
|
|
define( 'OPENID_CONNECT_GENERIC_SETTINGS_NAME', 'openid_connect_generic_settings' );
|
|
|
|
@ -77,6 +77,8 @@ class OpenID_Connect_Generic {
|
|
|
|
5 => __('Cannot get user key'),
|
|
|
|
5 => __('Cannot get user key'),
|
|
|
|
6 => __('Cannot create authorized user'),
|
|
|
|
6 => __('Cannot create authorized user'),
|
|
|
|
7 => __('User not found'),
|
|
|
|
7 => __('User not found'),
|
|
|
|
|
|
|
|
8 => __('You do not have access to this site'),
|
|
|
|
|
|
|
|
9 => __('Cannot get authorization to join this site'),
|
|
|
|
99 => __('Unknown error')
|
|
|
|
99 => __('Unknown error')
|
|
|
|
);
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -247,14 +249,21 @@ class OpenID_Connect_Generic {
|
|
|
|
if ( $id_token_claim['sub'] !== $user_claim['sub'] ) {
|
|
|
|
if ( $id_token_claim['sub'] !== $user_claim['sub'] ) {
|
|
|
|
$this->error_redirect( 4 );
|
|
|
|
$this->error_redirect( 4 );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// retrieve the identity from the id_token
|
|
|
|
$user_identity = $id_token_claim[ $settings['identity_key'] ];
|
|
|
|
$user_identity = $id_token_claim[ $settings['identity_key'] ];
|
|
|
|
$oauth_expiry = $token_response['expires_in'] + current_time( 'timestamp', true );
|
|
|
|
|
|
|
|
setcookie( $this->cookie_id_key, $user_identity, $oauth_expiry, COOKIEPATH, COOKIE_DOMAIN, true );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// - end authorization
|
|
|
|
// - end authorization
|
|
|
|
// - start user handling
|
|
|
|
// - start user handling
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// allow plugins / themes to halt the login process early
|
|
|
|
|
|
|
|
// based on the user_claim
|
|
|
|
|
|
|
|
$login_user = apply_filters( 'openid-connect-generic-user-login-test', true, $user_claim );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( ! $login_user ){
|
|
|
|
|
|
|
|
$this->error_redirect( 8 );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// look for user by their openid-connect-generic-user-identity value
|
|
|
|
// look for user by their openid-connect-generic-user-identity value
|
|
|
|
$user_query = new WP_User_Query( array(
|
|
|
|
$user_query = new WP_User_Query( array(
|
|
|
|
'meta_query' => array(
|
|
|
|
'meta_query' => array(
|
|
|
|
@ -301,19 +310,30 @@ class OpenID_Connect_Generic {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// allow other plugins / themes to determine authorization
|
|
|
|
|
|
|
|
// of new accounts based on the returned user claim
|
|
|
|
|
|
|
|
$create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( ! $create_user ) {
|
|
|
|
|
|
|
|
$this->error_redirect( 9 );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// create the new user
|
|
|
|
// create the new user
|
|
|
|
$uid = wp_create_user( $username, wp_generate_password( 32, true, true ), $email );
|
|
|
|
$uid = wp_create_user( $username, wp_generate_password( 32, true, true ), $email );
|
|
|
|
|
|
|
|
|
|
|
|
// make sure we didn't fail in creating the user
|
|
|
|
// make sure we didn't fail in creating the user
|
|
|
|
if ( is_wp_error( $uid ) ) {
|
|
|
|
if ( is_wp_error( $uid ) ) {
|
|
|
|
$this->error_redirect( 6 );
|
|
|
|
$this->error_redirect( 6 );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
$user = get_user_by( 'id', $uid );
|
|
|
|
$user = get_user_by( 'id', $uid );
|
|
|
|
|
|
|
|
|
|
|
|
// save some meta data about this new user for the future
|
|
|
|
// save some meta data about this new user for the future
|
|
|
|
add_user_meta( $user->ID, 'openid-connect-generic-user', true, true );
|
|
|
|
add_user_meta( $user->ID, 'openid-connect-generic-user', true, true );
|
|
|
|
add_user_meta( $user->ID, 'openid-connect-generic-user-identity', (string) $user_identity, true );
|
|
|
|
add_user_meta( $user->ID, 'openid-connect-generic-user-identity', (string) $user_identity, true );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// allow plugins / themes to take action on new user creation
|
|
|
|
|
|
|
|
do_action( 'openid-connect-generic-user-create', $user, $user_claim );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ensure our found user is a real WP_User
|
|
|
|
// ensure our found user is a real WP_User
|
|
|
|
@ -323,8 +343,13 @@ class OpenID_Connect_Generic {
|
|
|
|
|
|
|
|
|
|
|
|
// hey, we made it!
|
|
|
|
// hey, we made it!
|
|
|
|
// let's remember the tokens for future reference
|
|
|
|
// let's remember the tokens for future reference
|
|
|
|
|
|
|
|
update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response );
|
|
|
|
update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
|
|
|
|
update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
|
|
|
|
update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
|
|
|
|
update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// save our authorization cookie for the response expiration
|
|
|
|
|
|
|
|
$oauth_expiry = $token_response['expires_in'] + current_time( 'timestamp', true );
|
|
|
|
|
|
|
|
setcookie( $this->cookie_id_key, $user_identity, $oauth_expiry, COOKIEPATH, COOKIE_DOMAIN, true );
|
|
|
|
|
|
|
|
|
|
|
|
// get a cookie and go home!
|
|
|
|
// get a cookie and go home!
|
|
|
|
wp_set_auth_cookie( $user->ID, false );
|
|
|
|
wp_set_auth_cookie( $user->ID, false );
|
|
|
|
|
Jonathan Daggerhart
10 years ago