Merge pull request #303 from oidc-wp/release-3.8.5

Release 3.8.5

CHANGELOG.md

@@ -1,5 +1,10 @@
 # OpenId Connect Generic Changelog
 
+3.8.5
+* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+
 3.8.4
 * Fix: @timnolte - Fixed invalid State object access for redirection handling.
 * Improvement: @timnolte - Fixed local wp-env Docker development environment.

README.md

@@ -3,8 +3,8 @@
 **Donate link:** http://www.daggerhart.com/  
 **Tags:** security, login, oauth2, openidconnect, apps, authentication, autologin, sso  
 **Requires at least:** 4.9  
-**Tested up to:** 5.6  
-**Stable tag:** 3.8.4  
+**Tested up to:** 5.7.1  
+**Stable tag:** 3.8.5  
 **Requires PHP:** 7.1  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
@@ -51,6 +51,12 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
 
 ## Changelog ##
 
+### 3.8.5
+
+* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+###
 ### 3.8.4 ###
 
 * Fix: @timnolte - Fixed invalid State object access for redirection handling.

includes/openid-connect-generic-client-wrapper.php

@@ -143,16 +143,99 @@ class OpenID_Connect_Generic_Client_Wrapper {
 	}
 
 	/**
-	 * Get the authentication url from the client.
+	 * Get the client login redirect.
 	 *
-	 * @param array<string> $atts The optional attributes array when called via a shortcode.
+	 * @return string
+	 */
+	public function get_redirect_to() {
+		global $wp;
+
+		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] && isset( $_GET['action'] ) && 'logout' === $_GET['action'] ) {
+			return '';
+		}
+
+		// Default redirect to the homepage.
+		$redirect_url = home_url();
+
+		// If using the login form, default redirect to the admin dashboard.
+		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] ) {
+			$redirect_url = admin_url();
+		}
+
+		// Honor Core WordPress & other plugin redirects.
+		if ( isset( $_REQUEST['redirect_to'] ) ) {
+			$redirect_url = esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) );
+		}
+
+		// Capture the current URL if set to redirect back to origin page.
+		if ( $this->settings->redirect_user_back ) {
+			if ( ! empty( $wp->request ) ) {
+				if ( ! empty( $wp->did_permalink ) && $wp->did_permalink ) {
+					$redirect_url = home_url( trailingslashit( $wp->request ) );
+				} else {
+					$redirect_url = home_url( add_query_arg( null, null ) );
+				}
+			} else {
+				if ( ! empty( $wp->query_string ) ) {
+					$redirect_url = home_url( '?' . $wp->query_string );
+				}
+			}
+		}
+
+		// This hook is being deprecated with the move away from cookies.
+		$redirect_url = apply_filters_deprecated(
+			'openid-connect-generic-cookie-redirect-url',
+			array( $redirect_url ),
+			'3.8.2',
+			'openid-connect-generic-client-redirect-to'
+		);
+
+		// This is the new hook to use with the transients version of redirection.
+		return apply_filters( 'openid-connect-generic-client-redirect-to', $redirect_url );
+	}
+
+	/**
+	 * Create a single use authentication url
+	 *
+	 * @param array<string> $atts An optional array of override/feature attributes.
 	 *
 	 * @return string
 	 */
 	public function get_authentication_url( $atts = array() ) {
 
-		return $this->client->make_authentication_url( $atts );
+		$atts = shortcode_atts(
+			array(
+				'endpoint_login' => $this->settings->endpoint_login,
+				'scope' => $this->settings->scope,
+				'client_id' => $this->settings->client_id,
+				'redirect_uri' => $this->client->get_redirect_uri(),
+				'redirect_to' => $this->get_redirect_to(),
+			),
+			$atts,
+			'openid_connect_generic_auth_url'
+		);
+
+		// Validate the redirect to value to prevent a redirection attack.
+		if ( ! empty( $atts['redirect_to'] ) ) {
+			$atts['redirect_to'] = wp_validate_redirect( $atts['redirect_to'], home_url() );
+		}
+
+		$separator = '?';
+		if ( stripos( $this->settings->endpoint_login, '?' ) !== false ) {
+			$separator = '&';
+		}
+		$url = sprintf(
+			'%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
+			$atts['endpoint_login'],
+			$separator,
+			rawurlencode( $atts['scope'] ),
+			rawurlencode( $atts['client_id'] ),
+			$this->client->new_state( $atts['redirect_to'] ),
+			rawurlencode( $atts['redirect_uri'] )
+		);
 
+		$this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' );
+		return apply_filters( 'openid-connect-generic-auth-url', $url );
 	}
 
 	/**

includes/openid-connect-generic-client.php

@@ -124,47 +124,21 @@ class OpenID_Connect_Generic_Client {
 	}
 
 	/**
-	 * Create a single use authentication url
-	 *
-	 * @param array $atts An optional array of override/feature attributes.
+	 * Provides the configured Redirect URI supplied to the IDP.
 	 *
 	 * @return string
 	 */
-	public function make_authentication_url( $atts = array() ) {
-
-		$atts = shortcode_atts(
-			array(
-				'endpoint_login' => $this->endpoint_login,
-				'scope' => $this->scope,
-				'client_id' => $this->client_id,
-				'redirect_uri' => $this->redirect_uri,
-				'redirect_to' => home_url(), // Default redirect to the homepage.
-			),
-			$atts,
-			'openid_connect_generic_auth_url'
-		);
-
-		// Validate the redirect to value to prevent a redirection attack.
-		if ( ! empty( $atts['redirect_to'] ) ) {
-			$atts['redirect_to'] = wp_validate_redirect( $atts['redirect_to'], home_url() );
-		}
-
-		$separator = '?';
-		if ( stripos( $this->endpoint_login, '?' ) !== false ) {
-			$separator = '&';
-		}
-		$url = sprintf(
-			'%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
-			$atts['endpoint_login'],
-			$separator,
-			rawurlencode( $atts['scope'] ),
-			rawurlencode( $atts['client_id'] ),
-			$this->new_state( $atts['redirect_to'] ),
-			rawurlencode( $atts['redirect_uri'] )
-		);
+	public function get_redirect_uri() {
+		return $this->redirect_uri;
+	}
 
-		$this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' );
-		return apply_filters( 'openid-connect-generic-auth-url', $url );
+	/**
+	 * Provide the configured IDP endpoint login URL.
+	 *
+	 * @return string
+	 */
+	public function get_endpoint_login_url() {
+		return $this->endpoint_login;
 	}
 
 	/**

includes/openid-connect-generic-login-form.php

@@ -78,11 +78,7 @@ class OpenID_Connect_Generic_Login_Form {
 			// phpcs:ignore WordPress.Security.NonceVerification.Missing -- WP Login Form doesn't have a nonce.
 			&& ! isset( $_POST['wp-submit'] ) ) {
 			if ( ! isset( $_GET['login-error'] ) ) {
-				$redirect_to = $this->get_redirect_to();
-				if ( empty( $redirect_to ) ) {
-					return;
-				}
-				wp_redirect( $this->client_wrapper->get_authentication_url( array( 'redirect_to' => $redirect_to ) ) );
+				wp_redirect( $this->client_wrapper->get_authentication_url() );
 				exit;
 			} else {
 				add_action( 'login_footer', array( $this, 'remove_login_form' ), 99 );
@@ -91,48 +87,6 @@ class OpenID_Connect_Generic_Login_Form {
 
 	}
 
-	/**
-	 * Get the client login redirect.
-	 *
-	 * @return string
-	 */
-	public function get_redirect_to() {
-		global $wp;
-
-		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] && isset( $_GET['action'] ) && 'logout' === $_GET['action'] ) {
-			return '';
-		}
-
-		// Default redirect to the homepage.
-		$redirect_url = home_url();
-
-		// If using the login form, default redirect to the admin dashboard.
-		if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] ) {
-			$redirect_url = admin_url();
-		}
-
-		// Honor Core WordPress & other plugin redirects.
-		if ( isset( $_REQUEST['redirect_to'] ) ) {
-			$redirect_url = esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) );
-		}
-
-		// Record the URL of the redirect_to if set to redirect back to origin page.
-		if ( $this->settings->redirect_user_back ) {
-			$redirect_url = home_url( add_query_arg( $wp->request ) );
-		}
-
-		// This hook is being deprecated with the move away from cookies.
-		$redirect_url = apply_filters_deprecated(
-			'openid-connect-generic-cookie-redirect-url',
-			array( $redirect_url ),
-			'3.8.2',
-			'openid-connect-generic-client-redirect-to'
-		);
-
-		// This is the new hook to use with the transients version of redirection.
-		return apply_filters( 'openid-connect-generic-client-redirect-to', $redirect_url );
-	}
-
 	/**
 	 * Implements filter login_message.
 	 *
@@ -186,7 +140,6 @@ class OpenID_Connect_Generic_Login_Form {
 		$atts = shortcode_atts(
 			array(
 				'button_text' => __( 'Login with OpenID Connect', 'daggerhart-openid-connect-generic' ),
-				'redirect_to' => $this->get_redirect_to(),
 			),
 			$atts,
 			'openid_connect_generic_login_button'

languages/openid-connect-generic.pot

@@ -2,10 +2,10 @@
 # This file is distributed under the GPL-2.0+.
 msgid ""
 msgstr ""
-"Project-Id-Version: OpenID Connect Generic 3.8.4\n"
+"Project-Id-Version: OpenID Connect Generic 3.8.5\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/daggerhart/openid-connect-generic/issues\n"
-"POT-Creation-Date: 2021-04-10 20:38:53+00:00\n"
+"POT-Creation-Date: 2021-04-16 03:38:39+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -25,131 +25,131 @@ msgstr ""
 "X-Textdomain-Support: yes\n"
 "X-Generator: grunt-wp-i18n 1.0.3\n"
 
-#: includes/openid-connect-generic-client-wrapper.php:194
+#: includes/openid-connect-generic-client-wrapper.php:277
 msgid "Session expired. Please login again."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:437
+#: includes/openid-connect-generic-client-wrapper.php:520
 msgid "User identity is not linked to an existing WordPress user."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:493
+#: includes/openid-connect-generic-client-wrapper.php:576
 msgid "Invalid user."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:612
+#: includes/openid-connect-generic-client-wrapper.php:695
 msgid "No appropriate username found."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:620
+#: includes/openid-connect-generic-client-wrapper.php:703
 #. translators: $1$s is a username from the IDP.
 msgid "Username %1$s could not be transliterated."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:625
+#: includes/openid-connect-generic-client-wrapper.php:708
 #. translators: %1$s is the ASCII version of the username from the IDP.
 msgid "Username %1$s could not be normalized."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:659
+#: includes/openid-connect-generic-client-wrapper.php:742
 #. translators: %1$s is the configured User Claim nickname key.
 msgid "No nickname found in user claim using key: %1$s."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:686
+#: includes/openid-connect-generic-client-wrapper.php:769
 msgid "User claim incomplete."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:788
+#: includes/openid-connect-generic-client-wrapper.php:871
 msgid "Bad user claim result."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:843
+#: includes/openid-connect-generic-client-wrapper.php:926
 msgid "Can not authorize."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:862
+#: includes/openid-connect-generic-client-wrapper.php:945
 msgid "Failed user creation."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:191
+#: includes/openid-connect-generic-client.php:165
 msgid "Missing state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:195
+#: includes/openid-connect-generic-client.php:169
 msgid "Invalid state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:210
+#: includes/openid-connect-generic-client.php:184
 msgid "Missing authentication code."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:249
+#: includes/openid-connect-generic-client.php:223
 msgid "Request for authentication token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:280
+#: includes/openid-connect-generic-client.php:254
 msgid "Refresh token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:295
+#: includes/openid-connect-generic-client.php:269
 msgid "Missing token body."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:303
+#: includes/openid-connect-generic-client.php:277
 msgid "Invalid token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:354
+#: includes/openid-connect-generic-client.php:328
 msgid "Request for userinfo failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:414
+#: includes/openid-connect-generic-client.php:388
 msgid "Missing authentication state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:451
+#: includes/openid-connect-generic-client.php:425
 msgid "No identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:458
+#: includes/openid-connect-generic-client.php:432
 msgid "Missing identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:485
+#: includes/openid-connect-generic-client.php:459
 msgid "Bad ID token claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:490
+#: includes/openid-connect-generic-client.php:464
 msgid "No subject identity."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:509
+#: includes/openid-connect-generic-client.php:483
 msgid "Bad user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:529
+#: includes/openid-connect-generic-client.php:503
 msgid "Invalid user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:534
+#: includes/openid-connect-generic-client.php:508
 msgid "Error from the IDP."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:543
+#: includes/openid-connect-generic-client.php:517
 msgid "Incorrect user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:550
+#: includes/openid-connect-generic-client.php:524
 msgid "Unauthorized access."
 msgstr ""
 
-#: includes/openid-connect-generic-login-form.php:169
+#: includes/openid-connect-generic-login-form.php:123
 #. translators: %1$s is the error code from the IDP.
 msgid "ERROR (%1$s)"
 msgstr ""
 
-#: includes/openid-connect-generic-login-form.php:188
+#: includes/openid-connect-generic-login-form.php:142
 msgid "Login with OpenID Connect"
 msgstr ""
 

openid-connect-generic.php

@@ -16,7 +16,7 @@
  * Plugin Name:       OpenID Connect Generic
  * Plugin URI:        https://github.com/daggerhart/openid-connect-generic
  * Description:       Connect to an OpenID Connect generic client using Authorization Code Flow.
- * Version:           3.8.4
+ * Version:           3.8.5
  * Author:            daggerhart
  * Author URI:        http://www.daggerhart.com
  * Text Domain:       daggerhart-openid-connect-generic
@@ -80,7 +80,7 @@ class OpenID_Connect_Generic {
 	 *
 	 * @var
 	 */
-	const VERSION = '3.8.4';
+	const VERSION = '3.8.5';
 
 	/**
 	 * Plugin settings.

package-lock.json

@@ -1,6 +1,6 @@
 {
 	"name": "openid-connect-generic",
-	"version": "3.8.4",
+	"version": "3.8.5",
 	"lockfileVersion": 1,
 	"requires": true,
 	"dependencies": {

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "openid-connect-generic",
-	"version": "3.8.4",
+	"version": "3.8.5",
 	"description": "OpenID Connect generic WordPress plugin.",
 	"main": "Gruntfile.js",
 	"repository": {

readme.txt

@@ -3,8 +3,8 @@ Contributors: daggerhart, tnolte
 Donate link: http://www.daggerhart.com/
 Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso
 Requires at least: 4.9
-Tested up to: 5.6
-Stable tag: 3.8.4
+Tested up to: 5.7.1
+Stable tag: 3.8.5
 Requires PHP: 7.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -51,6 +51,12 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
 
 == Changelog ==
 
+= 3.8.5
+
+* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+
 = 3.8.4 =
 
 * Fix: @timnolte - Fixed invalid State object access for redirection handling.