- refresh_token + access_token expiry is sent via encrypted cookie to the browser.
- If cookie is missing or invalid, user is logged out.
- If last access token expired, use refresh token to fetch a new one and send a new cookie.
- If token refresh fails, user is logged out.
- Cookie encryption is with per-user random key stored in user meta.
- Encryption and key generation done using https://github.com/defuse/php-encryption
- Updated autoloader function to support loading namespaced classes.
This setting would override the default action of redirecting the user
to the home page after a successful login and instead redirect the user
back to the page on which they clicked the OpenID Connect login button.
This would cause the login process to proceed in a traditional WordPress
fashion.
An error occurs if a user with an existing WordPress account tries to
sign in using OpenID Connect. This patch fixes this problem by adding
the OpenID Connect meta data to the existing user's account after
successful authorization.
Raif Atef
wgengarelly
Robert Staddon
daggerhart
Jonathan Daggerhart