diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php
index 0bf5278..3823a3d 100644
--- a/includes/openid-connect-generic-client-wrapper.php
+++ b/includes/openid-connect-generic-client-wrapper.php
@@ -1,12 +1,12 @@
<?php
class OpenID_Connect_Generic_Client_Wrapper {
-
+
private $client;
-
+
// settings object
private $settings;
-
+
// logger object
private $logger;
@@ -19,10 +19,9 @@ class OpenID_Connect_Generic_Client_Wrapper {
// WP_Error if there was a problem, or false if no error
private $error = false;
-
/**
* Inject necessary objects and services into the client
- *
+ *
* @param \OpenID_Connect_Generic_Client $client
* @param \OpenID_Connect_Generic_Option_Settings $settings
* @param \OpenID_Connect_Generic_Option_Logger $logger
@@ -44,7 +43,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
*/
static public function register( OpenID_Connect_Generic_Client $client, OpenID_Connect_Generic_Option_Settings $settings, OpenID_Connect_Generic_Option_Logger $logger ){
$client_wrapper = new self( $client, $settings, $logger );
-
+
// integrated logout
if ( $settings->endpoint_end_session ) {
add_filter( 'allowed_redirect_hosts', array( $client_wrapper, 'update_allowed_redirect_hosts' ), 99, 1 );
@@ -72,13 +71,13 @@ class OpenID_Connect_Generic_Client_Wrapper {
if ( is_user_logged_in() ) {
add_action( 'wp_loaded', array($client_wrapper, 'ensure_tokens_still_fresh'));
}
-
+
return $client_wrapper;
}
/**
* Implements WP action - parse_request
- *
+ *
* @param $query
*
* @return mixed
@@ -96,7 +95,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
/**
* Get the authentication url from the client
- *
+ *
* @return string
*/
function get_authentication_url(){
@@ -144,7 +143,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
}
$token_result = $this->client->request_new_tokens( $refresh_token );
-
+
if ( is_wp_error( $token_result ) ) {
wp_logout();
$this->error_redirect( $token_result );
@@ -168,10 +167,10 @@ class OpenID_Connect_Generic_Client_Wrapper {
*/
function error_redirect( $error ) {
$this->logger->log( $error );
-
+
// redirect user back to login page
- wp_redirect(
- wp_login_url() .
+ wp_redirect(
+ wp_login_url() .
'?login-error=' . $error->get_error_code() .
'&message=' . urlencode( $error->get_error_message() )
);
@@ -186,7 +185,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
function get_error(){
return $this->error;
}
-
+
/**
* Add the end_session endpoint to WP core's whitelist of redirect hosts
*
@@ -266,31 +265,31 @@ class OpenID_Connect_Generic_Client_Wrapper {
return $request;
}
-
+
/**
* Control the authentication and subsequent authorization of the user when
* returning from the IDP.
*/
function authentication_request_callback() {
$client = $this->client;
-
+
// start the authentication flow
$authentication_request = $client->validate_authentication_request( $_GET );
-
+
if ( is_wp_error( $authentication_request ) ){
$this->error_redirect( $authentication_request );
}
-
+
// retrieve the authentication code from the authentication request
$code = $client->get_authentication_code( $authentication_request );
-
+
if ( is_wp_error( $code ) ){
$this->error_redirect( $code );
}
// attempting to exchange an authorization code for an authentication token
$token_result = $client->request_authentication_token( $code );
-
+
if ( is_wp_error( $token_result ) ) {
$this->error_redirect( $token_result );
}
@@ -307,7 +306,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
// ensure the that response contains required information
$valid = $client->validate_token_response( $token_response );
-
+
if ( is_wp_error( $valid ) ) {
$this->error_redirect( $valid );
}
@@ -328,28 +327,28 @@ class OpenID_Connect_Generic_Client_Wrapper {
if ( is_wp_error( $id_token_claim ) ){
$this->error_redirect( $id_token_claim );
}
-
+
// validate our id_token has required values
$valid = $client->validate_id_token_claim( $id_token_claim );
-
+
if ( is_wp_error( $valid ) ){
$this->error_redirect( $valid );
}
-
+
// if userinfo endpoint is set, exchange the token_response for a user_claim
if ( !empty( $this->settings->endpoint_userinfo ) && isset( $token_response['access_token'] )) {
$user_claim = $client->get_user_claim( $token_response );
} else {
$user_claim = $id_token_claim;
}
-
+
if ( is_wp_error( $user_claim ) ){
$this->error_redirect( $user_claim );
}
-
+
// validate our user_claim has required values
$valid = $client->validate_user_claim( $user_claim, $id_token_claim );
-
+
if ( is_wp_error( $valid ) ){
$this->error_redirect( $valid );
}
@@ -380,7 +379,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
// validate the found / created user
$valid = $this->validate_user( $user );
-
+
if ( is_wp_error( $valid ) ){
$this->error_redirect( $valid );
}
@@ -405,13 +404,13 @@ class OpenID_Connect_Generic_Client_Wrapper {
else {
wp_redirect( home_url() );
}
-
+
exit;
}
/**
- * Validate the potential WP_User
- *
+ * Validate the potential WP_User
+ *
* @param $user
*
* @return true|\WP_Error
@@ -421,13 +420,13 @@ class OpenID_Connect_Generic_Client_Wrapper {
if ( ! is_a( $user, 'WP_User' ) || ! $user->exists() ) {
return new WP_Error( 'invalid-user', __( 'Invalid user' ), $user );
}
-
+
return true;
}
/**
* Record user meta data, and provide an authorization cookie
- *
+ *
* @param $user
*/
function login_user( $user, $token_response, $id_token_claim, $user_claim, $subject_identity ){
@@ -478,8 +477,8 @@ class OpenID_Connect_Generic_Client_Wrapper {
}
/**
- * Get the user that has meta data matching a
- *
+ * Get the user that has meta data matching a
+ *
* @param $subject_identity
*
* @return false|\WP_User
@@ -500,7 +499,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
$users = $user_query->get_results();
return $users[0];
}
-
+
return false;
}
@@ -592,7 +591,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
$string .= substr( $format, $i, $match[ 1 ] - $i );
if ( ! isset( $user_claim[ $key ] ) ) {
if ( $error_on_missing_key ) {
- return new WP_Error( 'incomplete-user-claim', __( 'User claim incomplete' ),
+ return new WP_Error( 'incomplete-user-claim', __( 'User claim incomplete' ),
array('message'=>'Unable to find key: '.$key.' in user_claim',
'hint'=>'Verify OpenID Scope includes a scope with the attributes you need',
'user_claim'=>$user_claim,
@@ -638,7 +637,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
/**
* Create a new user from details in a user_claim
- *
+ *
* @param $subject_identity
* @param $user_claim
*
@@ -738,14 +737,14 @@ class OpenID_Connect_Generic_Client_Wrapper {
}
}
- // allow other plugins / themes to determine authorization
+ // allow other plugins / themes to determine authorization
// of new accounts based on the returned user claim
$create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim );
if ( ! $create_user ) {
return new WP_Error( 'cannot-authorize', __( 'Can not authorize.' ), $create_user );
}
-
+
$user_data = array(
'user_login' => $username,
'user_pass' => wp_generate_password( 32, true, true ),
@@ -776,26 +775,25 @@ class OpenID_Connect_Generic_Client_Wrapper {
// allow plugins / themes to take action on new user creation
do_action( 'openid-connect-generic-user-create', $user, $user_claim );
-
+
return $user;
}
-
-
+
/**
* Update an existing user with OpenID Connect meta data
- *
+ *
* @param $uid
* @param $subject_identity
*
* @return \WP_Error | \WP_User
*/
function update_existing_user( $uid, $subject_identity ) {
- // add the OpenID Connect meta data
+ // add the OpenID Connect meta data
update_user_meta( $uid, 'openid-connect-generic-subject-identity', (string) $subject_identity );
-
+
// allow plugins / themes to take action on user update
do_action( 'openid-connect-generic-user-update', $uid );
-
+
// return our updated user
return get_user_by( 'id', $uid );
}
diff --git a/includes/openid-connect-generic-client.php b/includes/openid-connect-generic-client.php
index aa635fd..100d3a1 100644
--- a/includes/openid-connect-generic-client.php
+++ b/includes/openid-connect-generic-client.php
@@ -67,9 +67,9 @@ class OpenID_Connect_Generic_Client {
/**
* Validate the request for login authentication
- *
+ *
* @param $request
- *
+ *
* @return array|\WP_Error
*/
function validate_authentication_request( $request ){
@@ -111,7 +111,7 @@ class OpenID_Connect_Generic_Client {
* Using the authorization_code, request an authentication token from the idp
*
* @param $code - authorization_code
- *
+ *
* @return array|\WP_Error
*/
function request_authentication_token( $code ) {
@@ -142,7 +142,7 @@ class OpenID_Connect_Generic_Client {
if ( is_wp_error( $response ) ){
$response->add( 'request_authentication_token' , __( 'Request for authentication token failed.' ) );
}
-
+
return $response;
}
@@ -203,12 +203,12 @@ class OpenID_Connect_Generic_Client {
return $token_response;
}
-
+
/**
* Exchange an access_token for a user_claim from the userinfo endpoint
*
* @param $access_token
- *
+ *
* @return array|\WP_Error
*/
function request_userinfo( $access_token ) {
@@ -240,7 +240,7 @@ class OpenID_Connect_Generic_Client {
if ( is_wp_error( $response ) ){
$response->add( 'request_userinfo' , __( 'Request for userinfo failed.' ) );
}
-
+
return $response;
}
@@ -293,18 +293,18 @@ class OpenID_Connect_Generic_Client {
function validate_token_response( $token_response ){
// we need to ensure 2 specific items exist with the token response in order
// to proceed with confidence: id_token and token_type == 'Bearer'
- if ( ! isset( $token_response['id_token'] ) ||
+ if ( ! isset( $token_response['id_token'] ) ||
! isset( $token_response['token_type'] ) || strcasecmp( $token_response['token_type'], 'Bearer' )
) {
return new WP_Error( 'invalid-token-response', 'Invalid token response', $token_response );
}
-
+
return true;
}
/**
* Extract the id_token_claim from the token_response
- *
+ *
* @param $token_response
*
* @return array|\WP_Error
@@ -333,13 +333,13 @@ class OpenID_Connect_Generic_Client {
)
, true
);
-
+
return $id_token_claim;
}
/**
* Ensure the id_token_claim contains the required values
- *
+ *
* @param $id_token_claim
*
* @return bool|\WP_Error
@@ -348,20 +348,20 @@ class OpenID_Connect_Generic_Client {
if ( ! is_array( $id_token_claim ) ) {
return new WP_Error( 'bad-id-token-claim', __( 'Bad ID token claim' ), $id_token_claim );
}
-
+
// make sure we can find our identification data and that it has a value
if ( ! isset( $id_token_claim['sub'] ) || empty( $id_token_claim['sub'] ) ) {
return new WP_Error( 'no-subject-identity', __( 'No subject identity' ), $id_token_claim );
}
-
+
return true;
}
/**
* Attempt to exchange the access_token for a user_claim
- *
+ *
* @param $token_response
- *
+ *
* @return array|mixed|object|\WP_Error
*/
function get_user_claim( $token_response ){
@@ -377,11 +377,11 @@ class OpenID_Connect_Generic_Client {
return $user_claim;
}
-
+
/**
* Make sure the user_claim has all required values, and that the subject
* identity matches of the id_token matches that of the user_claim.
- *
+ *
* @param $user_claim
* @param $id_token_claim
*
@@ -409,17 +409,17 @@ class OpenID_Connect_Generic_Client {
// allow for other plugins to alter the login success
$login_user = apply_filters( 'openid-connect-generic-user-login-test', true, $user_claim );
-
+
if ( ! $login_user ) {
return new WP_Error( 'unauthorized', __( 'Unauthorized access' ), $login_user );
}
-
+
return true;
}
/**
* Retrieve the subject identity from the id_token
- *
+ *
* @param $id_token_claim array
*
* @return mixed
diff --git a/includes/openid-connect-generic-option-logger.php b/includes/openid-connect-generic-option-logger.php
index 96ce655..3ea7b1d 100644
--- a/includes/openid-connect-generic-option-logger.php
+++ b/includes/openid-connect-generic-option-logger.php
@@ -3,25 +3,25 @@
* Simple class for logging messages to the options table
*/
class OpenID_Connect_Generic_Option_Logger {
-
+
// wp option name/key
private $option_name;
-
+
// default message type
private $default_message_type;
-
+
// the number of items to keep in the log
private $log_limit;
-
- // whether or not the
+
+ // whether or not the
private $logging_enabled;
-
+
// internal cache of logs
private $logs;
/**
* Setup the logger according to the needs of the instance
- *
+ *
* @param string $option_name
* @param string $default_message_type
* @param bool|TRUE $logging_enabled
@@ -36,7 +36,7 @@ class OpenID_Connect_Generic_Option_Logger {
/**
* Subscribe logger to a set of filters
- *
+ *
* @param $filter_names
* @param int $priority
*/
@@ -44,7 +44,7 @@ class OpenID_Connect_Generic_Option_Logger {
if ( ! is_array( $filter_names ) ) {
$filter_names = array( $filter_names );
}
-
+
foreach ( $filter_names as $filter ){
add_filter( $filter, array( $this, 'log_hook' ), $priority );
}
@@ -52,7 +52,7 @@ class OpenID_Connect_Generic_Option_Logger {
/**
* Subscribe logger to a set of actions
- *
+ *
* @param $action_names
* @param $priority
*/
@@ -67,8 +67,8 @@ class OpenID_Connect_Generic_Option_Logger {
}
/**
- * Log the data
- *
+ * Log the data
+ *
* @param null $arg1
* @return null
*/
@@ -76,10 +76,10 @@ class OpenID_Connect_Generic_Option_Logger {
$this->log( func_get_args(), current_filter() );
return $arg1;
}
-
+
/**
* Save an array of data to the logs
- *
+ *
* @param $data mixed
* @return bool
*/
@@ -90,13 +90,13 @@ class OpenID_Connect_Generic_Option_Logger {
$logs = $this->upkeep_logs( $logs );
return $this->save_logs( $logs );
}
-
+
return false;
}
/**
* Retrieve all log messages
- *
+ *
* @return array
*/
public function get_logs() {
@@ -109,7 +109,7 @@ class OpenID_Connect_Generic_Option_Logger {
/**
* Get the name of the option where this log is stored
- *
+ *
* @return string
*/
public function get_option_name(){
@@ -128,7 +128,7 @@ class OpenID_Connect_Generic_Option_Logger {
// determine the type of message
if ( empty( $type ) ) {
$this->default_message_type;
-
+
if ( is_array( $data ) && isset( $data['type'] ) ){
$type = $data['type'];
}
@@ -148,7 +148,7 @@ class OpenID_Connect_Generic_Option_Logger {
return $message;
}
-
+
/**
* Keep our log count under the limit
*
@@ -161,14 +161,14 @@ class OpenID_Connect_Generic_Option_Logger {
if ( $items_to_remove > 0 ){
// keep only the last $log_limit messages from the end
$logs = array_slice( $logs, ( $items_to_remove * -1) );
- }
-
+ }
+
return $logs;
}
/**
* Save the log messages
- *
+ *
* @param $logs
* @return bool
*/
@@ -187,7 +187,7 @@ class OpenID_Connect_Generic_Option_Logger {
/**
* Get a simple html table of all the logs
- *
+ *
* @param array $logs
* @return string
*/
@@ -196,9 +196,9 @@ class OpenID_Connect_Generic_Option_Logger {
$logs = $this->get_logs();
}
$logs = array_reverse( $logs );
-
+
ini_set( 'xdebug.var_display_max_depth', -1 );
-
+
ob_start();
?>
<style type="text/css">
@@ -232,7 +232,7 @@ class OpenID_Connect_Generic_Option_Logger {
<?php print $log['uri']; ?>
</div>
</td>
-
+
<td class="col-data"><pre><?php var_dump( $log['data'] ); ?></pre></td>
</tr>
<?php } ?>
@@ -240,7 +240,7 @@ class OpenID_Connect_Generic_Option_Logger {
</table>
<?php
$output = ob_get_clean();
-
+
return $output;
}
}
diff --git a/includes/openid-connect-generic-option-settings.php b/includes/openid-connect-generic-option-settings.php
index b88e0f9..7b9b9a0 100644
--- a/includes/openid-connect-generic-option-settings.php
+++ b/includes/openid-connect-generic-option-settings.php
@@ -3,13 +3,13 @@
* Class OpenId_Connect_Generic_Option_Settings
*/
class OpenID_Connect_Generic_Option_Settings {
-
+
// wp option name/key
private $option_name;
-
+
// stored option values array
private $values;
-
+
// default plugin settings values
private $default_settings;
@@ -22,38 +22,38 @@ class OpenID_Connect_Generic_Option_Settings {
$this->option_name = $option_name;
$this->default_settings = $default_settings;
$this->values = get_option( $this->option_name, $this->default_settings );
-
+
if ( $granular_defaults ) {
$this->values = array_replace_recursive( $this->default_settings, $this->values );
}
}
-
+
function __get( $key ){
if ( isset( $this->values[ $key ] ) ) {
return $this->values[ $key ];
}
}
-
+
function __set( $key, $value ){
$this->values[ $key ] = $value;
}
-
+
function __isset( $key ){
return isset( $this->values[ $key ] );
}
-
+
function __unset( $key ){
unset( $this->values[ $key ]);
}
-
+
function get_values(){
return $this->values;
}
-
+
function get_option_name() {
return $this->option_name;
}
-
+
function save(){
update_option( $this->option_name, $this->values );
}
diff --git a/includes/openid-connect-generic-settings-page.php b/includes/openid-connect-generic-settings-page.php
index 00c8f15..5178521 100644
--- a/includes/openid-connect-generic-settings-page.php
+++ b/includes/openid-connect-generic-settings-page.php
@@ -27,10 +27,10 @@ class OpenID_Connect_Generic_Settings_Page {
$this->settings = $settings;
$this->logger = $logger;
$this->settings_field_group = $this->settings->get_option_name() . '-group';
-
+
/*
* Simple settings fields simply have:
- *
+ *
* - title
* - description
* - type ( checkbox | text | select )
@@ -225,7 +225,7 @@ class OpenID_Connect_Generic_Settings_Page {
// register our settings
add_action( 'admin_init', array( $settings_page, 'admin_init' ) );
-
+
return $settings_page;
}
@@ -262,7 +262,7 @@ class OpenID_Connect_Generic_Settings_Page {
array( $this, 'user_settings_description' ),
$this->options_page_name
);
-
+
add_settings_section( 'authorization_settings',
__( 'Authorization Settings' ),
array( $this, 'authorization_settings_description' ),
@@ -322,7 +322,7 @@ class OpenID_Connect_Generic_Settings_Page {
foreach ( $this->settings_fields as $key => $field ) {
if ( isset( $input[ $key ] ) ) {
$options[ $key ] = sanitize_text_field( trim( $input[ $key ] ) );
- }
+ }
else {
$options[ $key ] = '';
}
@@ -349,7 +349,7 @@ class OpenID_Connect_Generic_Settings_Page {
settings_fields( $this->settings_field_group );
do_settings_sections( $this->options_page_name );
submit_button();
-
+
// simple debug to view settings array
if ( isset( $_GET['debug'] ) ) {
var_dump( $this->settings->get_values() );
@@ -452,11 +452,11 @@ class OpenID_Connect_Generic_Settings_Page {
public function client_settings_description() {
_e( 'Enter your OpenID Connect identity provider settings' );
}
-
+
public function user_settings_description() {
_e( 'Modify the interaction between OpenID Connect and WordPress users' );
}
-
+
public function authorization_settings_description() {
_e( 'Control the authorization mechanics of the site' );
}