- refresh_token + access_token expiry is sent via encrypted cookie to the browser.
- If cookie is missing or invalid, user is logged out.
- If last access token expired, use refresh token to fetch a new one and send a new cookie.
- If token refresh fails, user is logged out.
- Cookie encryption is with per-user random key stored in user meta.
- Encryption and key generation done using https://github.com/defuse/php-encryption
- Updated autoloader function to support loading namespaced classes.
An error occurs if a user with an existing WordPress account tries to
sign in using OpenID Connect. This patch fixes this problem by adding
the OpenID Connect meta data to the existing user's account after
successful authorization.
Raif Atef
wgengarelly
Robert Staddon
daggerhart
Jonathan Daggerhart