Changeset 2698055

Timestamp:

03/23/2022 01:48:21 AM (4 years ago)

Author:

daggerhart

Message:

Update to version 3.9.0 from GitHub

Location:

daggerhart-openid-connect-generic

Files:

• tags/3.9.0 (copied) (copied from daggerhart-openid-connect-generic/trunk)
• tags/3.9.0/CHANGELOG.md (modified) (1 diff)
• tags/3.9.0/docker-compose.wp-env.yml (added)
• tags/3.9.0/docker-compose.yml (added)
• tags/3.9.0/includes/functions.php (added)
• tags/3.9.0/includes/openid-connect-generic-client-wrapper.php (modified) (27 diffs)
• tags/3.9.0/includes/openid-connect-generic-client.php (modified) (5 diffs)
• tags/3.9.0/includes/openid-connect-generic-option-settings.php (modified) (2 diffs)
• tags/3.9.0/includes/openid-connect-generic-settings-page.php (modified) (10 diffs)
• tags/3.9.0/languages/openid-connect-generic.pot (modified) (16 diffs)
• tags/3.9.0/openid-connect-generic.php (modified) (10 diffs)
• tags/3.9.0/readme.txt (modified) (2 diffs)
• trunk/CHANGELOG.md (modified) (1 diff)
• trunk/docker-compose.wp-env.yml (added)
• trunk/docker-compose.yml (added)
• trunk/includes/functions.php (added)
• trunk/includes/openid-connect-generic-client-wrapper.php (modified) (27 diffs)
• trunk/includes/openid-connect-generic-client.php (modified) (5 diffs)
• trunk/includes/openid-connect-generic-option-settings.php (modified) (2 diffs)
• trunk/includes/openid-connect-generic-settings-page.php (modified) (10 diffs)
• trunk/languages/openid-connect-generic.pot (modified) (16 diffs)
• trunk/openid-connect-generic.php (modified) (10 diffs)
• trunk/readme.txt (modified) (2 diffs)

daggerhart-openid-connect-generic/tags/3.9.0/CHANGELOG.md

@@ -1 +1 @@
 # OpenId Connect Generic Changelog
 
-3.8.5
-* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
-* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
-* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+3.9.0
 
-3.8.4
-* Fix: @timnolte - Fixed invalid State object access for redirection handling.
-* Improvement: @timnolte - Fixed local wp-env Docker development environment.
-* Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.
+- Feature: @matchaxnb - Added support for additional configuration constants.
+- Feature: @schanzen - Added support for agregated claims.
+- Fix: @rkcreation - Fixed access token not updating user metadata after login.
+- Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
+- Feature: @RobjS - Added plugin singleton to support for more developer customization.
+- Feature: @jkouris - Added action hook to allow custom handling of session expiration.
+- Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
+- Feature: @rkcreation - Added method to refresh the user claim.
+- Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
+- Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
+- Fix: @slykar - Fixed missing query string handling in redirect URL.
+- Fix: @timnolte - Fixed issue with some user linking and user creation handling.
+- Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
+- Security: @timnolte - Updated build tooling security vulnerabilities.
+- Improvement: @timnolte - Changed build tooling scripts.
 
-3.8.3
+  3.8.5
 
-* Fix: @timnolte - Fixed problems with proper redirect handling.
-* Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
-* Improvement: @timnolte - Refactored additional code to meet coding standards.
+- Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+- Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
+- Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
 
-3.8.2
+  3.8.4
 
-* Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
+- Fix: @timnolte - Fixed invalid State object access for redirection handling.
+- Improvement: @timnolte - Fixed local wp-env Docker development environment.
+- Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.
 
-3.8.1
+  3.8.3
 
-* Fix: @timnolte - Prevent SSO redirect on password protected posts.
-* Fix: @timnolte - CI/CD build issues.
-* Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
+- Fix: @timnolte - Fixed problems with proper redirect handling.
+- Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
+- Improvement: @timnolte - Refactored additional code to meet coding standards.
 
-3.8.0
+  3.8.2
 
-* Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
-* Improvement: @timnolte - NPM version requirements for development.
-* Improvement: @timnolte - Travis CI build fixes.
-* Improvement: @timnolte - GrumPHP configuration updates for code contributions.
-* Improvement: @timnolte - Refactored to meet WordPress coding standards.
-* Improvement: @timnolte - Refactored to provide localization.
-* Improvement: @timnolte - Refactored to provide a Docker-based local development environment.
+- Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
 
-3.7.1
+  3.8.1
 
-* Fix: Release Version Number.
+- Fix: @timnolte - Prevent SSO redirect on password protected posts.
+- Fix: @timnolte - CI/CD build issues.
+- Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
 
-3.7.0
+  3.8.0
 
-* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
-* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
+- Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
+- Improvement: @timnolte - NPM version requirements for development.
+- Improvement: @timnolte - Travis CI build fixes.
+- Improvement: @timnolte - GrumPHP configuration updates for code contributions.
+- Improvement: @timnolte - Refactored to meet WordPress coding standards.
+- Improvement: @timnolte - Refactored to provide localization.
+- Improvement: @timnolte - Refactored to provide a Docker-based local development environment.
+
+  3.7.1
+
+- Fix: Release Version Number.
+
+  3.7.0
+
+- Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
+- Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
+
   - Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`.
 
-3.6.0
+    3.6.0
 
-* Improvement: @RobjS - Improved error messages during login state failure.
-* Improvement: @RobjS - New developer filter for login form button URL.
-* Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
-* Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
-* Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
-* Improvement: @flat235 - Username transliteration and normalization.
+- Improvement: @RobjS - Improved error messages during login state failure.
+- Improvement: @RobjS - New developer filter for login form button URL.
+- Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
+- Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
+- Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
+- Improvement: @flat235 - Username transliteration and normalization.
 
-3.5.1
+  3.5.1
 
-* Fix: @daggerhart - New approach to state management using transients.
+- Fix: @daggerhart - New approach to state management using transients.
 
-3.5.0
+  3.5.0
 
-* Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
-* Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
-* Feature: @gassan - New action on use login
-* Fix: @daggerhart - Avoid double question marks in auth url query string
-* Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
-* Syntax change: @mullikine - Change PHP keywords to comply with PSR2
+- Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
+- Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
+- Feature: @gassan - New action on use login
+- Fix: @daggerhart - Avoid double question marks in auth url query string
+- Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
+- Syntax change: @mullikine - Change PHP keywords to comply with PSR2
 
 **3.4.1**
 
-* Minor documentation update and additional error checking.
+- Minor documentation update and additional error checking.
 
 **3.4.0**
 
-* Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
-* Feature: @anttileppa - State time limit can now be changed on the settings page.
-* Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
-* Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url 
+- Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
+- Feature: @anttileppa - State time limit can now be changed on the settings page.
+- Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
+- Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url
 
 **3.3.1**
 
-* Prefixing classes for more efficient autoloading.
-* Avoid altering global wp_remote_post() parameters.
-* Minor metadata updates for wp.org
+- Prefixing classes for more efficient autoloading.
+- Avoid altering global wp_remote_post() parameters.
+- Minor metadata updates for wp.org
 
 **3.3.0**
 
-* Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
+- Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
 
 **3.2.1**
 
-* Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
+- Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
 
 **3.2.0**
 
-* Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
-* Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
-* Feature: New setting to set redirect URL when session expires.
-* Feature: @robbiepaul - New filter for modifying authentication URL
-* Fix: @cedrox - Adding id_token_hint to logout URL according to spec
-* Bug fix: Provide port to the request header when requesting the user_claim
+- Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
+- Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
+- Feature: New setting to set redirect URL when session expires.
+- Feature: @robbiepaul - New filter for modifying authentication URL
+- Fix: @cedrox - Adding id_token_hint to logout URL according to spec
+- Bug fix: Provide port to the request header when requesting the user_claim
 
 **3.1.0**
 
-* Feature: @rwasef1830 - Refresh tokens 
-* Feature: @rwasef1830 - Integrated logout support with end_session endpoint
-* Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
-* Feature: @ahatherly - Support for IDP behind reverse proxy
-* Bug fix: @robertstaddon - case insensitive check for Bearer token
-* Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
-* Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
-* Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
-* UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
+- Feature: @rwasef1830 - Refresh tokens
+- Feature: @rwasef1830 - Integrated logout support with end_session endpoint
+- Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
+- Feature: @ahatherly - Support for IDP behind reverse proxy
+- Bug fix: @robertstaddon - case insensitive check for Bearer token
+- Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
+- Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
+- Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
+- UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
 
 **3.0.8**
 
-* Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
+- Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
   to take action using the fresh claims received when an existing user logs in.
 
 **3.0.7**
 
-* Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in 
-section 5.3.1 of the specs. 
+- Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in
+  section 5.3.1 of the specs.
 
 **3.0.6**
 
-* Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
+- Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
 
 **3.0.5**
 
-* Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
-* Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
+- Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
+- Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
 
 **3.0.4**
 
-* Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
+- Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
 
 **3.0.3**
 
-* Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
-* Bug fix: Incrementing username in case of collision.
-* Bug fix: Wrong error sent when missing token body
+- Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
+- Bug fix: Incrementing username in case of collision.
+- Bug fix: Wrong error sent when missing token body
 
 **3.0.2**
 
-* Added http_request_timeout setting
+- Added http_request_timeout setting
 
 **3.0.1**
 
-* Finalizing 3.0.x api
+- Finalizing 3.0.x api
 
 **3.0**
 
-* Complete rewrite to separate concerns
-* Changed settings keys for clarity (requires updating settings if upgrading from another version)
-* Error logging
+- Complete rewrite to separate concerns
+- Changed settings keys for clarity (requires updating settings if upgrading from another version)
+- Error logging
 
 **2.1**
 
-* Working my way closer to spec. Possible breaking change.  Now checking for preferred_username as priority.
-* New username determination to avoid collisions
+- Working my way closer to spec. Possible breaking change. Now checking for preferred_username as priority.
+- New username determination to avoid collisions
 
 **2.0**
 
 Complete rewrite
-

daggerhart-openid-connect-generic/tags/3.9.0/includes/openid-connect-generic-client-wrapper.php

@@ -149 +149 @@
      */
     public function get_redirect_to() {
+        // @var WP $wp WordPress environment setup class.
         global $wp;
 
@@ -171 +172 @@
         if ( $this->settings->redirect_user_back ) {
             if ( ! empty( $wp->request ) ) {
-                if ( ! empty( $wp->did_permalink ) && $wp->did_permalink ) {
-                    $redirect_url = home_url( trailingslashit( $wp->request ) );
+                if ( ! empty( $wp->did_permalink ) && boolval( $wp->did_permalink ) === true ) {
+                    $redirect_url = home_url( add_query_arg( $_GET, trailingslashit( $wp->request ) ) );
                 } else {
                     $redirect_url = home_url( add_query_arg( null, null ) );
@@ -211 +212 @@
                 'redirect_uri' => $this->client->get_redirect_uri(),
                 'redirect_to' => $this->get_redirect_to(),
+                'acr_values' => $this->settings->acr_values,
             ),
             $atts,
@@ -225 +227 @@
             $separator = '&';
         }
+
+        $url_format = '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s';
+        if ( ! empty( $atts['acr_values'] ) ) {
+            $url_format .= '&acr_values=%7$s';
+        }
+
         $url = sprintf(
-            '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
+            $url_format,
             $atts['endpoint_login'],
             $separator,
@@ -232 +240 @@
             rawurlencode( $atts['client_id'] ),
             $this->client->new_state( $atts['redirect_to'] ),
-            rawurlencode( $atts['redirect_uri'] )
+            rawurlencode( $atts['redirect_uri'] ),
+            rawurlencode( $atts['acr_values'] )
         );
 
@@ -272 +281 @@
 
         if ( ! $refresh_token || ( $refresh_expires && $current_time > $refresh_expires ) ) {
-            wp_logout();
-
-            if ( $this->settings->redirect_on_logout ) {
-                $this->error_redirect( new WP_Error( 'access-token-expired', __( 'Session expired. Please login again.', 'daggerhart-openid-connect-generic' ) ) );
+            if ( isset( $_SERVER['REQUEST_URI'] ) ) {
+                do_action( 'openid-connect-generic-session-expired', wp_get_current_user(), esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
+                wp_logout();
+
+                if ( $this->settings->redirect_on_logout ) {
+                    $this->error_redirect( new WP_Error( 'access-token-expired', __( 'Session expired. Please login again.', 'daggerhart-openid-connect-generic' ) ) );
+                }
+
+                return;
             }
-
-            return;
         }
 
@@ -295 +307 @@
         }
 
+        update_user_meta( $user_id, 'openid-connect-generic-last-token-response', $token_response );
         $this->save_refresh_token( $manager, $token, $token_response );
     }
@@ -511 +524 @@
         $user = $this->get_user_by_identity( $subject_identity );
 
+        // A pre-existing IDP mapped user wasn't found.
         if ( ! $user ) {
-            if ( $this->settings->create_if_does_not_exist ) {
+            // If linking existing users or creating new ones call the `create_new_user` method which handles both cases.
+            if ( $this->settings->link_existing_users || $this->settings->create_if_does_not_exist ) {
                 $user = $this->create_new_user( $subject_identity, $user_claim );
                 if ( is_wp_error( $user ) ) {
@@ -520 +535 @@
                 $this->error_redirect( new WP_Error( 'identity-not-map-existing-user', __( 'User identity is not linked to an existing WordPress user.', 'daggerhart-openid-connect-generic' ), $user_claim ) );
             }
-        } else {
-            // Allow plugins / themes to take action using current claims on existing user (e.g. update role).
-            do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
         }
 
@@ -535 +547 @@
         $this->login_user( $user, $token_response, $id_token_claim, $user_claim, $subject_identity );
 
+        // Allow plugins / themes to take action once a user is logged in.
         do_action( 'openid-connect-generic-user-logged-in', $user );
 
@@ -581 +594 @@
 
     /**
+     * Refresh user claim.
+     *
+     * @param WP_User $user             The user object.
+     * @param array   $token_response   The token response.
+     *
+     * @return WP_Error|array
+     */
+    public function refresh_user_claim( $user, $token_response ) {
+        $client = $this->client;
+
+        /**
+         * The id_token is used to identify the authenticated user, e.g. for SSO.
+         * The access_token must be used to prove access rights to protected
+         * resources e.g. for the userinfo endpoint
+         */
+        $id_token_claim = $client->get_id_token_claim( $token_response );
+
+        // Allow for other plugins to alter data before validation.
+        $id_token_claim = apply_filters( 'openid-connect-modify-id-token-claim-before-validation', $id_token_claim );
+
+        if ( is_wp_error( $id_token_claim ) ) {
+            return $id_token_claim;
+        }
+
+        // Validate our id_token has required values.
+        $valid = $client->validate_id_token_claim( $id_token_claim );
+
+        if ( is_wp_error( $valid ) ) {
+            return $valid;
+        }
+
+        // If userinfo endpoint is set, exchange the token_response for a user_claim.
+        if ( ! empty( $this->settings->endpoint_userinfo ) && isset( $token_response['access_token'] ) ) {
+            $user_claim = $client->get_user_claim( $token_response );
+        } else {
+            $user_claim = $id_token_claim;
+        }
+
+        if ( is_wp_error( $user_claim ) ) {
+            return $user_claim;
+        }
+
+        // Validate our user_claim has required values.
+        $valid = $client->validate_user_claim( $user_claim, $id_token_claim );
+
+        if ( is_wp_error( $valid ) ) {
+            $this->error_redirect( $valid );
+            return $valid;
+        }
+
+        // Store the tokens for future reference.
+        update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response );
+        update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
+        update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
+
+        return $user_claim;
+    }
+
+    /**
      * Record user meta data, and provide an authorization cookie.
      *
@@ -596 +668 @@
         update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
         update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
+        // Allow plugins / themes to take action using current claims on existing user (e.g. update role).
+        do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
 
         // Create the WP session, so we know its token.
@@ -657 +731 @@
                     ),
                 ),
+                // Override the default blog_id (get_current_blog_id) to find users on different sites of a multisite install.
+                'blog_id' => 0,
             )
         );
 
-        // If we found an existing users, grab the first one returned.
+        // If we found existing users, grab the first one returned.
         if ( $user_query->get_total() > 0 ) {
             $users = $user_query->get_results();
@@ -674 +750 @@
      * @param array $user_claim The IDP authenticated user claim data.
      *
-     * @return string|WP_Error|null
+     * @return string|WP_Error
      */
     private function get_username_from_claim( $user_claim ) {
@@ -684 +760 @@
         if ( ! empty( $this->settings->identity_key ) && isset( $user_claim[ $this->settings->identity_key ] ) ) {
             $desired_username = $user_claim[ $this->settings->identity_key ];
-        } else if ( isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
+        }
+        if ( empty( $desired_username ) && isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
             $desired_username = $user_claim['preferred_username'];
-        } else if ( isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
+        }
+        if ( empty( $desired_username ) && isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
             $desired_username = $user_claim['name'];
-        } else if ( isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
+        }
+        if ( empty( $desired_username ) && isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
             $tmp = explode( '@', $user_claim['email'] );
             $desired_username = $tmp[0];
-        } else {
+        }
+        if ( empty( $desired_username ) ) {
             // Nothing to build a name from.
             return new WP_Error( 'no-username', __( 'No appropriate username found.', 'daggerhart-openid-connect-generic' ), $user_claim );
         }
 
-        // Normalize the data a bit.
-        // @var string $transliterated_username The username converted to ASCII from UTF-8.
-        $transliterated_username = iconv( 'UTF-8', 'ASCII//TRANSLIT', $desired_username );
-        if ( empty( $transliterated_username ) ) {
-            // translators: $1$s is a username from the IDP.
-            return new WP_Error( 'username-transliteration-failed', sprintf( __( 'Username %1$s could not be transliterated.', 'daggerhart-openid-connect-generic' ), $desired_username ), $desired_username );
-        }
-        $normalized_username = strtolower( preg_replace( '/[^a-zA-Z0-9 _.\-@]/', '', $transliterated_username ) );
-        if ( empty( $normalized_username ) ) {
-            // translators: %1$s is the ASCII version of the username from the IDP.
-            return new WP_Error( 'username-normalization-failed', sprintf( __( 'Username %1$s could not be normalized.', 'daggerhart-openid-connect-generic' ), $transliterated_username ), $transliterated_username );
-        }
-
-        // Copy the username for incrementing.
-        $username = ! empty( $normalized_username ) ? $normalized_username : null;
-
-        if ( ! $this->settings->link_existing_users && ! is_null( $username ) ) {
-            // @example Original user gets "name", second user gets "name2", etc.
-            $count = 1;
-            while ( username_exists( $username ) ) {
-                $count ++;
-                $username = $normalized_username . $count;
-            }
-        }
-
-        return $username;
+        // Don't use the full email address for a username.
+        $_desired_username = explode( '@', $desired_username );
+        $desired_username = $_desired_username[0];
+        // Use WordPress Core to sanitize the IDP username.
+        $sanitized_username = sanitize_user( $desired_username, true );
+        if ( empty( $sanitized_username ) ) {
+            // translators: %1$s is the santitized version of the username from the IDP.
+            return new WP_Error( 'username-sanitization-failed', sprintf( __( 'Username %1$s could not be sanitized.', 'daggerhart-openid-connect-generic' ), $desired_username ), $desired_username );
+        }
+
+        return $sanitized_username;
     }
 
@@ -747 +812 @@
 
     /**
+     * Checks if $claimname is in the body or _claim_names of the userinfo.
+     * If yes, returns the claim value. Otherwise, returns false.
+     *
+     * @param string $claimname the claim name to look for.
+     * @param array  $userinfo the JSON to look in.
+     * @param string $claimvalue the source claim value ( from the body of the JWT of the claim source).
+     * @return true|false
+     */
+    private function get_claim( $claimname, $userinfo, &$claimvalue ) {
+        /**
+         * If we find a simple claim, return it.
+         */
+        if ( array_key_exists( $claimname, $userinfo ) ) {
+            $claimvalue = $userinfo[ $claimname ];
+            return true;
+        }
+        /**
+         * If there are no aggregated claims, it is over.
+         */
+        if ( ! array_key_exists( '_claim_names', $userinfo ) ||
+            ! array_key_exists( '_claim_sources', $userinfo ) ) {
+            return false;
+        }
+        $claim_src_ptr = $userinfo['_claim_names'];
+        if ( ! isset( $claim_src_ptr ) ) {
+            return false;
+        }
+        /**
+         * No reference found
+         */
+        if ( ! array_key_exists( $claimname, $claim_src_ptr ) ) {
+            return false;
+        }
+        $src_name = $claim_src_ptr[ $claimname ];
+        // Reference found, but no corresponding JWT. This is a malformed userinfo.
+        if ( ! array_key_exists( $src_name, $userinfo['_claim_sources'] ) ) {
+            return false;
+        }
+        $src = $userinfo['_claim_sources'][ $src_name ];
+        // Source claim is not a JWT. Abort.
+        if ( ! array_key_exists( 'JWT', $src ) ) {
+            return false;
+        }
+        /**
+         * Extract claim from JWT.
+         * FIXME: We probably want to verify the JWT signature/issuer here.
+         * For example, using JWKS if applicable. For symmetrically signed
+         * JWTs (HMAC), we need a way to specify the acceptable secrets
+         * and each possible issuer in the config.
+         */
+        $jwt = $src['JWT'];
+        list ( $header, $body, $rest ) = explode( '.', $jwt, 3 );
+        $body_str = base64_decode( $body, false );
+        if ( ! $body_str ) {
+            return false;
+        }
+        $body_json = json_decode( $body_str, true );
+        if ( ! isset( $body_json ) ) {
+            return false;
+        }
+        if ( ! array_key_exists( $claimname, $body_json ) ) {
+            return false;
+        }
+        $claimvalue = $body_json[ $claimname ];
+        return true;
+    }
+
+
+    /**
      * Build a string from the user claim according to the specified format.
      *
@@ -758 +892 @@
         $matches = null;
         $string = '';
+        $info = '';
         $i = 0;
         if ( preg_match_all( '/\{[^}]*\}/u', $format, $matches, PREG_OFFSET_CAPTURE ) ) {
@@ -763 +898 @@
                 $key = substr( $match[0], 1, -1 );
                 $string .= substr( $format, $i, $match[1] - $i );
-                if ( ! isset( $user_claim[ $key ] ) ) {
+                if ( ! $this->get_claim( $key, $user_claim, $info ) ) {
                     if ( $error_on_missing_key ) {
                         return new WP_Error(
@@ -777 +912 @@
                     }
                 } else {
-                    $string .= $user_claim[ $key ];
+                    $string .= $info;
                 }
                 $i = $match[1] + strlen( $match[0] );
@@ -836 +971 @@
         // Allow claim details to determine username, email, nickname and displayname.
         $_email = $this->get_email_from_claim( $user_claim, true );
-        if ( is_wp_error( $_email ) ) {
+        if ( is_wp_error( $_email ) || empty( $_email ) ) {
             $values_missing = true;
-        } else if ( ! is_null( $_email ) ) {
+        } else {
             $email = $_email;
         }
 
         $_username = $this->get_username_from_claim( $user_claim );
-        if ( is_wp_error( $_username ) ) {
+        if ( is_wp_error( $_username ) || empty( $_username ) ) {
             $values_missing = true;
-        } else if ( ! is_null( $_username ) ) {
+        } else {
             $username = $_username;
         }
 
         $_nickname = $this->get_nickname_from_claim( $user_claim );
-        if ( is_null( $_nickname ) ) {
+        if ( is_wp_error( $_nickname ) || empty( $_nickname ) ) {
             $values_missing = true;
         } else {
@@ -857 +992 @@
 
         $_displayname = $this->get_displayname_from_claim( $user_claim, true );
-        if ( is_wp_error( $_displayname ) ) {
+        if ( is_wp_error( $_displayname ) || empty( $_displayname ) ) {
             $values_missing = true;
-        } else if ( ! is_null( $_displayname ) ) {
+        } else {
             $displayname = $_displayname;
         }
@@ -878 +1013 @@
         if ( is_wp_error( $_email ) ) {
             return $_email;
-        } else if ( ! is_null( $_email ) ) {
+        }
+        // Use the email address from the latest userinfo request if not empty.
+        if ( ! empty( $_email ) ) {
             $email = $_email;
         }
@@ -885 +1022 @@
         if ( is_wp_error( $_username ) ) {
             return $_username;
-        } else if ( ! is_null( $_username ) ) {
+        }
+        // Use the username from the latest userinfo request if not empty.
+        if ( ! empty( $_username ) ) {
             $username = $_username;
         }
@@ -892 +1031 @@
         if ( is_wp_error( $_nickname ) ) {
             return $_nickname;
-        } else if ( is_null( $_nickname ) ) {
+        }
+        // Use the username as the nickname if the userinfo request nickname is empty.
+        if ( empty( $_nickname ) ) {
             $nickname = $username;
         }
@@ -899 +1040 @@
         if ( is_wp_error( $_displayname ) ) {
             return $_displayname;
-        } else if ( is_null( $_displayname ) ) {
+        }
+        // Use the nickname as the displayname if the userinfo request displayname is empty.
+        if ( empty( $_displayname ) ) {
             $displayname = $nickname;
         }
 
-        // Before trying to create the user, first check if a user with the same email already exists.
+        // Before trying to create the user, first check if a matching user exists.
         if ( $this->settings->link_existing_users ) {
+            $uid = null;
             if ( $this->settings->identify_with_username ) {
                 $uid = username_exists( $username );
@@ -910 +1054 @@
                 $uid = email_exists( $email );
             }
-            if ( $uid ) {
+            if ( ! empty( $uid ) ) {
                 $user = $this->update_existing_user( $uid, $subject_identity );
                 do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
@@ -921 +1065 @@
          * based on the returned user claim.
          */
-        $create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim );
+        $create_user = apply_filters( 'openid-connect-generic-user-creation-test', $this->settings->create_if_does_not_exist, $user_claim );
 
         if ( ! $create_user ) {
             return new WP_Error( 'cannot-authorize', __( 'Can not authorize.', 'daggerhart-openid-connect-generic' ), $create_user );
+        }
+
+        // Copy the username for incrementing.
+        $_username = $username;
+        // Ensure prevention of linking usernames & collisions by incrementing the username if it exists.
+        // @example Original user gets "name", second user gets "name2", etc.
+        $count = 1;
+        while ( username_exists( $username ) ) {
+            $count ++;
+            $username = $_username . $count;
         }
 

daggerhart-openid-connect-generic/tags/3.9.0/includes/openid-connect-generic-client.php

@@ -84 +84 @@
 
     /**
+     * The specifically requested authentication contract at the IDP
+     *
+     * @see OpenID_Connect_Generic_Option_Settings::acr_values
+     *
+     * @var string
+     */
+    private $acr_values;
+
+    /**
      * The state time limit. States are only valid for 3 minutes.
      *
@@ -109 +118 @@
      * @param string                               $endpoint_token    @see OpenID_Connect_Generic_Option_Settings::endpoint_token for description.
      * @param string                               $redirect_uri      @see OpenID_Connect_Generic_Option_Settings::redirect_uri for description.
+     * @param string                               $acr_values        @see OpenID_Connect_Generic_Option_Settings::acr_values for description.
      * @param int                                  $state_time_limit  @see OpenID_Connect_Generic_Option_Settings::state_time_limit for description.
      * @param OpenID_Connect_Generic_Option_Logger $logger            The plugin logging object instance.
      */
-    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $state_time_limit, $logger ) {
+    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $state_time_limit, $logger ) {
         $this->client_id = $client_id;
         $this->client_secret = $client_secret;
@@ -120 +130 @@
         $this->endpoint_token = $endpoint_token;
         $this->redirect_uri = $redirect_uri;
+        $this->acr_values = $acr_values;
         $this->state_time_limit = $state_time_limit;
         $this->logger = $logger;
@@ -213 +224 @@
         );
 
+        if ( ! empty( $this->acr_values ) ) {
+            $request['body'] += array( 'acr_values' => $this->acr_values );
+        }
+
         // Allow modifications to the request.
         $request = apply_filters( 'openid-connect-generic-alter-request', $request, 'get-authentication-token' );
@@ -465 +480 @@
         }
 
+        // Validate acr values when the option is set in the configuration.
+        if ( ! empty( $this->acr_values ) && isset( $id_token_claim['acr'] ) ) {
+            if ( $this->acr_values != $id_token_claim['acr'] ) {
+                return new WP_Error( 'no-match-acr', __( 'No matching acr values.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
+            }
+        }
+
         return true;
     }

daggerhart-openid-connect-generic/tags/3.9.0/includes/openid-connect-generic-option-settings.php

@@ -34 +34 @@
  * @property string $endpoint_token       The IDP token validation endpoint URL.
  * @property string $endpoint_end_session The IDP logout endpoint URL.
+ * @property string $acr_values           The Authentication contract as defined on the IDP.
  *
  * Non-standard Settings:
@@ -87 +88 @@
      */
     private $environment_settings = array(
-        'client_id'            => 'OIDC_CLIENT_ID',
-        'client_secret'        => 'OIDC_CLIENT_SECRET',
-        'endpoint_login'       => 'OIDC_ENDPOINT_LOGIN_URL',
-        'endpoint_userinfo'    => 'OIDC_ENDPOINT_USERINFO_URL',
-        'endpoint_token'       => 'OIDC_ENDPOINT_TOKEN_URL',
-        'endpoint_end_session' => 'OIDC_ENDPOINT_LOGOUT_URL',
+        'client_id'                 => 'OIDC_CLIENT_ID',
+        'client_secret'             => 'OIDC_CLIENT_SECRET',
+        'endpoint_end_session'      => 'OIDC_ENDPOINT_LOGOUT_URL',
+        'endpoint_login'            => 'OIDC_ENDPOINT_LOGIN_URL',
+        'endpoint_token'            => 'OIDC_ENDPOINT_TOKEN_URL',
+        'endpoint_userinfo'         => 'OIDC_ENDPOINT_USERINFO_URL',
+        'login_type'                => 'OIDC_LOGIN_TYPE',
+        'scope'                     => 'OIDC_CLIENT_SCOPE',
+        'create_if_does_not_exist'  => 'OIDC_CREATE_IF_DOES_NOT_EXIST',
+        'enforce_privacy'           => 'OIDC_ENFORCE_PRIVACY',
+        'link_existing_users'       => 'OIDC_LINK_EXISTING_USERS',
+        'redirect_on_logout'        => 'OIDC_REDIRECT_ON_LOGOUT',
+        'redirect_user_back'        => 'OIDC_REDIRECT_USER_BACK',
+        'acr_values'                => 'OIDC_ACR_VALUES',
     );
 

daggerhart-openid-connect-generic/tags/3.9.0/includes/openid-connect-generic-settings-page.php

@@ -217 +217 @@
                     'auto'   => __( 'Auto Login - SSO', 'daggerhart-openid-connect-generic' ),
                 ),
+                'disabled'    => defined( 'OIDC_LOGIN_TYPE' ),
                 'section'     => 'client_settings',
             ),
@@ -239 +240 @@
                 'example'     => 'email profile openid offline_access',
                 'type'        => 'text',
+                'disabled'    => defined( 'OIDC_CLIENT_SCOPE' ),
                 'section'     => 'client_settings',
             ),
@@ -273 +275 @@
                 'section'     => 'client_settings',
             ),
+            'acr_values'    => array(
+                'title'       => __( 'ACR values', 'daggerhart-openid-connect-generic' ),
+                'description' => __( 'Use a specific defined authentication contract from the IDP - optional.', 'daggerhart-openid-connect-generic' ),
+                'type'        => 'text',
+                'disabled'    => defined( 'OIDC_ACR_VALUES' ),
+                'section'     => 'client_settings',
+            ),
             'identity_key'     => array(
                 'title'       => __( 'Identity Key', 'daggerhart-openid-connect-generic' ),
@@ -298 +307 @@
                 'description' => __( 'Require users be logged in to see the site.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_ENFORCE_PRIVACY' ),
                 'section'     => 'authorization_settings',
             ),
@@ -349 +359 @@
                 'description' => __( 'If a WordPress account already exists with the same identity as a newly-authenticated user over OpenID Connect, login as that user instead of generating an error.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_LINK_EXISTING_USERS' ),
                 'section'     => 'user_settings',
             ),
             'create_if_does_not_exist'   => array(
                 'title'       => __( 'Create user if does not exist', 'daggerhart-openid-connect-generic' ),
-                'description' => __( 'If the user identity is not link to an existing Wordpress user, it is created. If this setting is not enabled and if the user authenticates with an account which is not link to an existing Wordpress user then the authentication failed', 'daggerhart-openid-connect-generic' ),
-                'type'        => 'checkbox',
+                'description' => __( 'If the user identity is not linked to an existing WordPress user, it is created. If this setting is not enabled, and if the user authenticates with an account which is not linked to an existing WordPress user, then the authentication will fail.', 'daggerhart-openid-connect-generic' ),
+                'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ),
                 'section'     => 'user_settings',
             ),
@@ -361 +373 @@
                 'description' => __( 'After a successful OpenID Connect authentication, this will redirect the user back to the page on which they clicked the OpenID Connect login button. This will cause the login process to proceed in a traditional WordPress fashion. For example, users logging in through the default wp-login.php page would end up on the WordPress Dashboard and users logging in through the WooCommerce "My Account" page would end up on their account page.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_REDIRECT_USER_BACK' ),
                 'section'     => 'user_settings',
             ),
@@ -367 +380 @@
                 'description' => __( 'When enabled, this will automatically redirect the user back to the WordPress login page if their access token has expired.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_REDIRECT_ON_LOGOUT' ),
                 'section'     => 'user_settings',
             ),
@@ -415 +429 @@
      */
     public function settings_page() {
+        wp_enqueue_style( 'daggerhart-openid-connect-generic-admin', plugin_dir_url( __DIR__ ) . 'css/styles-admin.css', array(), OpenID_Connect_Generic::VERSION, 'all' );
+
         $redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
 
@@ -473 +489 @@
         ?>
         <input type="<?php print esc_attr( $field['type'] ); ?>"
-                <?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) ) ? ' disabled' : ''; ?>
+                <?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) === true ) ? ' disabled' : ''; ?>
               id="<?php print esc_attr( $field['key'] ); ?>"
-              class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) ) ? ' disabled' : ''; ?>"
+              class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) === true ) ? ' disabled' : ''; ?>"
               name="<?php print esc_attr( $field['name'] ); ?>"
               value="<?php print esc_attr( $this->settings->{ $field['key'] } ); ?>">
@@ -531 +547 @@
         ?>
         <p class="description">
-            <?php print esc_html( $field['description'] ); ?>
+            <?php print wp_kses_post( $field['description'] ); ?>
             <?php if ( isset( $field['example'] ) ) : ?>
                 <br/><strong><?php esc_html_e( 'Example', 'daggerhart-openid-connect-generic' ); ?>: </strong>

daggerhart-openid-connect-generic/tags/3.9.0/languages/openid-connect-generic.pot

@@ -1 @@
-# Copyright (C) 2021 daggerhart
+# Copyright (C) 2022 daggerhart
 # This file is distributed under the GPL-2.0+.
 msgid ""
 msgstr ""
-"Project-Id-Version: OpenID Connect Generic 3.8.5\n"
+"Project-Id-Version: OpenID Connect Generic 3.9.0\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/daggerhart/openid-connect-generic/issues\n"
-"POT-Creation-Date: 2021-04-16 03:38:39+00:00\n"
+"POT-Creation-Date: 2022-03-22 03:28:37+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2021-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2022-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -26 +26 @@
 "X-Generator: grunt-wp-i18n 1.0.3\n"
 
-#: includes/openid-connect-generic-client-wrapper.php:277
+#: includes/openid-connect-generic-client-wrapper.php:288
 msgid "Session expired. Please login again."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:520
+#: includes/openid-connect-generic-client-wrapper.php:535
 msgid "User identity is not linked to an existing WordPress user."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:576
+#: includes/openid-connect-generic-client-wrapper.php:589
 msgid "Invalid user."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:695
+#: includes/openid-connect-generic-client-wrapper.php:775
 msgid "No appropriate username found."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:703
-#. translators: $1$s is a username from the IDP.
-msgid "Username %1$s could not be transliterated."
-msgstr ""
-
-#: includes/openid-connect-generic-client-wrapper.php:708
-#. translators: %1$s is the ASCII version of the username from the IDP.
-msgid "Username %1$s could not be normalized."
-msgstr ""
-
-#: includes/openid-connect-generic-client-wrapper.php:742
+#: includes/openid-connect-generic-client-wrapper.php:785
+#. translators: %1$s is the santitized version of the username from the IDP.
+msgid "Username %1$s could not be sanitized."
+msgstr ""
+
+#: includes/openid-connect-generic-client-wrapper.php:807
 #. translators: %1$s is the configured User Claim nickname key.
 msgid "No nickname found in user claim using key: %1$s."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:769
+#: includes/openid-connect-generic-client-wrapper.php:904
 msgid "User claim incomplete."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:871
+#: includes/openid-connect-generic-client-wrapper.php:1006
 msgid "Bad user claim result."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:926
+#: includes/openid-connect-generic-client-wrapper.php:1070
 msgid "Can not authorize."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:945
+#: includes/openid-connect-generic-client-wrapper.php:1099
 msgid "Failed user creation."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:165
+#: includes/openid-connect-generic-client.php:176
 msgid "Missing state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:169
+#: includes/openid-connect-generic-client.php:180
 msgid "Invalid state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:184
+#: includes/openid-connect-generic-client.php:195
 msgid "Missing authentication code."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:223
+#: includes/openid-connect-generic-client.php:238
 msgid "Request for authentication token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:254
+#: includes/openid-connect-generic-client.php:269
 msgid "Refresh token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:269
+#: includes/openid-connect-generic-client.php:284
 msgid "Missing token body."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:277
+#: includes/openid-connect-generic-client.php:292
 msgid "Invalid token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:328
+#: includes/openid-connect-generic-client.php:343
 msgid "Request for userinfo failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:388
+#: includes/openid-connect-generic-client.php:403
 msgid "Missing authentication state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:425
+#: includes/openid-connect-generic-client.php:440
 msgid "No identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:432
+#: includes/openid-connect-generic-client.php:447
 msgid "Missing identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:459
+#: includes/openid-connect-generic-client.php:474
 msgid "Bad ID token claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:464
+#: includes/openid-connect-generic-client.php:479
 msgid "No subject identity."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:483
+#: includes/openid-connect-generic-client.php:485
+msgid "No matching acr values."
+msgstr ""
+
+#: includes/openid-connect-generic-client.php:505
 msgid "Bad user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:503
+#: includes/openid-connect-generic-client.php:525
 msgid "Invalid user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:508
+#: includes/openid-connect-generic-client.php:530
 msgid "Error from the IDP."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:517
+#: includes/openid-connect-generic-client.php:539
 msgid "Incorrect user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:524
+#: includes/openid-connect-generic-client.php:546
 msgid "Unauthorized access."
 msgstr ""
@@ -210 +209 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:222
+#: includes/openid-connect-generic-settings-page.php:223
 msgid "Client ID"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:223
+#: includes/openid-connect-generic-settings-page.php:224
 msgid ""
 "The ID this client will be recognized as when connecting the to Identity "
@@ -220 +219 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:230
+#: includes/openid-connect-generic-settings-page.php:231
 msgid "Client Secret Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:231
+#: includes/openid-connect-generic-settings-page.php:232
 msgid ""
 "Arbitrary secret key the server expects from this client. Can be anything, "
@@ -230 +229 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:237
+#: includes/openid-connect-generic-settings-page.php:238
 msgid "OpenID Scope"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:238
+#: includes/openid-connect-generic-settings-page.php:239
 msgid "Space separated list of scopes this client should access."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:244
+#: includes/openid-connect-generic-settings-page.php:246
 msgid "Login Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:245
+#: includes/openid-connect-generic-settings-page.php:247
 msgid "Identify provider authorization endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:252
+#: includes/openid-connect-generic-settings-page.php:254
 msgid "Userinfo Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:253
+#: includes/openid-connect-generic-settings-page.php:255
 msgid "Identify provider User information endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:260
+#: includes/openid-connect-generic-settings-page.php:262
 msgid "Token Validation Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:261
+#: includes/openid-connect-generic-settings-page.php:263
 msgid "Identify provider token endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:268
+#: includes/openid-connect-generic-settings-page.php:270
 msgid "End Session Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:269
+#: includes/openid-connect-generic-settings-page.php:271
 msgid "Identify provider logout endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:276
+#: includes/openid-connect-generic-settings-page.php:278
+msgid "ACR values"
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:279
+msgid "Use a specific defined authentication contract from the IDP - optional."
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:285
 msgid "Identity Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:277
+#: includes/openid-connect-generic-settings-page.php:286
 msgid ""
 "Where in the user claim array to find the user's identification data. "
@@ -281 +288 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:283
+#: includes/openid-connect-generic-settings-page.php:292
 msgid "Disable SSL Verify"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:285
+#: includes/openid-connect-generic-settings-page.php:294
 #. translators: %1$s HTML tags for layout/styles, %2$s closing HTML tag for
 #. styles.
@@ -296 +303 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:290
+#: includes/openid-connect-generic-settings-page.php:299
 msgid "HTTP Request Timeout"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:291
+#: includes/openid-connect-generic-settings-page.php:300
 msgid "Set the timeout for requests made to the IDP. Default value is 5."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:297
+#: includes/openid-connect-generic-settings-page.php:306
 msgid "Enforce Privacy"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:298
+#: includes/openid-connect-generic-settings-page.php:307
 msgid "Require users be logged in to see the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:303
+#: includes/openid-connect-generic-settings-page.php:313
 msgid "Alternate Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:304
+#: includes/openid-connect-generic-settings-page.php:314
 msgid ""
 "Provide an alternative redirect route. Useful if your server is causing "
@@ -324 +331 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:309
+#: includes/openid-connect-generic-settings-page.php:319
 msgid "Nickname Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:310
+#: includes/openid-connect-generic-settings-page.php:320
 msgid ""
 "Where in the user claim array to find the user's nickname. Possible "
@@ -334 +341 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:316
+#: includes/openid-connect-generic-settings-page.php:326
 msgid "Email Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:317
+#: includes/openid-connect-generic-settings-page.php:327
 msgid ""
 "String from which the user's email address is built. Specify \"{email}\" as "
@@ -344 +351 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:323
+#: includes/openid-connect-generic-settings-page.php:333
 msgid "Display Name Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:324
+#: includes/openid-connect-generic-settings-page.php:334
 msgid "String from which the user's display name is built."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:330
+#: includes/openid-connect-generic-settings-page.php:340
 msgid "Identify with User Name"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:331
+#: includes/openid-connect-generic-settings-page.php:341
 msgid ""
 "If checked, the user's identity will be determined by the user name instead "
@@ -362 +369 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:336
+#: includes/openid-connect-generic-settings-page.php:346
 msgid "State time limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:337
+#: includes/openid-connect-generic-settings-page.php:347
 msgid "State valid time in seconds. Defaults to 180"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:342
+#: includes/openid-connect-generic-settings-page.php:352
 msgid "Enable Refresh Token"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:343
+#: includes/openid-connect-generic-settings-page.php:353
 msgid ""
 "If checked, support refresh tokens used to obtain access tokens from "
@@ -380 +387 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:348
+#: includes/openid-connect-generic-settings-page.php:358
 msgid "Link Existing Users"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:349
+#: includes/openid-connect-generic-settings-page.php:359
 msgid ""
 "If a WordPress account already exists with the same identity as a "
@@ -391 +398 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:354
+#: includes/openid-connect-generic-settings-page.php:365
 msgid "Create user if does not exist"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:355
-msgid ""
-"If the user identity is not link to an existing Wordpress user, it is "
-"created. If this setting is not enabled and if the user authenticates with "
-"an account which is not link to an existing Wordpress user then the "
-"authentication failed"
-msgstr ""
-
-#: includes/openid-connect-generic-settings-page.php:360
+#: includes/openid-connect-generic-settings-page.php:366
+msgid ""
+"If the user identity is not linked to an existing WordPress user, it is "
+"created. If this setting is not enabled, and if the user authenticates with "
+"an account which is not linked to an existing WordPress user, then the "
+"authentication will fail."
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:372
 msgid "Redirect Back to Origin Page"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:361
+#: includes/openid-connect-generic-settings-page.php:373
 msgid ""
 "After a successful OpenID Connect authentication, this will redirect the "
@@ -418 +425 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:366
+#: includes/openid-connect-generic-settings-page.php:379
 msgid "Redirect to the login screen when session is expired"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:367
+#: includes/openid-connect-generic-settings-page.php:380
 msgid ""
 "When enabled, this will automatically redirect the user back to the "
@@ -428 +435 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:372
+#: includes/openid-connect-generic-settings-page.php:386
 msgid "Enable Logging"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:373
+#: includes/openid-connect-generic-settings-page.php:387
 msgid "Very simple log messages for debugging purposes."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:378
+#: includes/openid-connect-generic-settings-page.php:392
 msgid "Log Limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:379
+#: includes/openid-connect-generic-settings-page.php:393
 msgid ""
 "Number of items to keep in the log. These logs are stored as an option in "
@@ -446 +453 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:439
+#: includes/openid-connect-generic-settings-page.php:455
 msgid "Notes"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:442
+#: includes/openid-connect-generic-settings-page.php:458
 msgid "Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:446
+#: includes/openid-connect-generic-settings-page.php:462
 msgid "Login Button Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:450
+#: includes/openid-connect-generic-settings-page.php:466
 msgid "Authentication URL Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:455
+#: includes/openid-connect-generic-settings-page.php:471
 msgid "Logs"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:535
+#: includes/openid-connect-generic-settings-page.php:551
 msgid "Example"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:548
+#: includes/openid-connect-generic-settings-page.php:564
 msgid "Enter your OpenID Connect identity provider settings."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:557
+#: includes/openid-connect-generic-settings-page.php:573
 msgid "Modify the interaction between OpenID Connect and WordPress users."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:566
+#: includes/openid-connect-generic-settings-page.php:582
 msgid "Control the authorization mechanics of the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:575
+#: includes/openid-connect-generic-settings-page.php:591
 msgid "Log information about login attempts through OpenID Connect Generic."
 msgstr ""
 
-#: openid-connect-generic.php:202
+#: openid-connect-generic.php:213
 msgid "Private site"
 msgstr ""

daggerhart-openid-connect-generic/tags/3.9.0/openid-connect-generic.php

@@ -17 +17 @@
  * Plugin URI:        https://github.com/daggerhart/openid-connect-generic
  * Description:       Connect to an OpenID Connect generic client using Authorization Code Flow.
- * Version:           3.8.5
+ * Version:           3.9.0
+ * Requires at least: 4.9
+ * Requires PHP:      7.2
  * Author:            daggerhart
  * Author URI:        http://www.daggerhart.com
@@ -45 +47 @@
 
   Actions
-  - openid-connect-generic-user-create        - 2 args: fires when a new user is created by this plugin
-  - openid-connect-generic-user-update        - 1 arg: user ID, fires when user is updated by this plugin
-  - openid-connect-generic-update-user-using-current-claim - 2 args: fires every time an existing user logs
-  - openid-connect-generic-redirect-user-back - 2 args: $redirect_url, $user. Allows interruption of redirect during login.
-  - openid-connect-generic-user-logged-in     - 1 arg: $user, fires when user is logged in.
-  - openid-connect-generic-cron-daily         - daily cron action
-  - openid-connect-generic-state-not-found    - the given state does not exist in the database, regardless of its expiration.
-  - openid-connect-generic-state-expired      - the given state exists, but expired before this login attempt.
+  - openid-connect-generic-user-create                     - 2 args: fires when a new user is created by this plugin
+  - openid-connect-generic-user-update                     - 1 arg: user ID, fires when user is updated by this plugin
+  - openid-connect-generic-update-user-using-current-claim - 2 args: fires every time an existing user logs in and the claims are updated.
+  - openid-connect-generic-redirect-user-back              - 2 args: $redirect_url, $user. Allows interruption of redirect during login.
+  - openid-connect-generic-user-logged-in                  - 1 arg: $user, fires when user is logged in.
+  - openid-connect-generic-cron-daily                      - daily cron action
+  - openid-connect-generic-state-not-found                 - the given state does not exist in the database, regardless of its expiration.
+  - openid-connect-generic-state-expired                   - the given state exists, but expired before this login attempt.
+
+  Callable actions
 
   User Meta
@@ -77 +81 @@
 
     /**
+     * Singleton instance of self
+     *
+     * @var OpenID_Connect_Generic
+     */
+    protected static $_instance = null;
+
+    /**
      * Plugin version.
      *
-     * @var
-     */
-    const VERSION = '3.8.5';
+     * @var string
+     */
+    const VERSION = '3.9.0';
 
     /**
@@ -109 +120 @@
      * @var OpenID_Connect_Generic_Client_Wrapper
      */
-    private $client_wrapper;
+    public $client_wrapper;
 
     /**
@@ -122 +133 @@
         $this->settings = $settings;
         $this->logger = $logger;
+        self::$_instance = $this;
     }
 
@@ -130 +142 @@
      */
     public function init() {
-
-        wp_enqueue_style( 'daggerhart-openid-connect-generic-admin', plugin_dir_url( __FILE__ ) . 'css/styles-admin.css', array(), self::VERSION, 'all' );
 
         $redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
@@ -152 +162 @@
             $this->settings->endpoint_token,
             $redirect_uri,
+            $this->settings->acr_values,
             $state_time_limit,
             $this->logger
@@ -328 +339 @@
             array(
                 // OAuth client settings.
-                'login_type'           => 'button',
+                'login_type'           => defined( 'OIDC_LOGIN_TYPE' ) ? OIDC_LOGIN_TYPE : 'button',
                 'client_id'            => defined( 'OIDC_CLIENT_ID' ) ? OIDC_CLIENT_ID : '',
                 'client_secret'        => defined( 'OIDC_CLIENT_SECRET' ) ? OIDC_CLIENT_SECRET : '',
-                'scope'                => '',
+                'scope'                => defined( 'OIDC_CLIENT_SCOPE' ) ? OIDC_CLIENT_SCOPE : '',
                 'endpoint_login'       => defined( 'OIDC_ENDPOINT_LOGIN_URL' ) ? OIDC_ENDPOINT_LOGIN_URL : '',
                 'endpoint_userinfo'    => defined( 'OIDC_ENDPOINT_USERINFO_URL' ) ? OIDC_ENDPOINT_USERINFO_URL : '',
                 'endpoint_token'       => defined( 'OIDC_ENDPOINT_TOKEN_URL' ) ? OIDC_ENDPOINT_TOKEN_URL : '',
                 'endpoint_end_session' => defined( 'OIDC_ENDPOINT_LOGOUT_URL' ) ? OIDC_ENDPOINT_LOGOUT_URL : '',
+                'acr_values'           => defined( 'OIDC_ACR_VALUES' ) ? OIDC_ACR_VALUES : '',
 
                 // Non-standard settings.
@@ -347 +359 @@
 
                 // Plugin settings.
-                'enforce_privacy' => 0,
+                'enforce_privacy' => defined( 'OIDC_ENFORCE_PRIVACY' ) ? intval( OIDC_ENFORCE_PRIVACY ) : 0,
                 'alternate_redirect_uri' => 0,
                 'token_refresh_enable' => 1,
-                'link_existing_users' => 0,
-                'create_if_does_not_exist' => 1,
-                'redirect_user_back' => 0,
-                'redirect_on_logout' => 1,
+                'link_existing_users' => defined( 'OIDC_LINK_EXISTING_USERS' ) ? intval( OIDC_LINK_EXISTING_USERS ) : 0,
+                'create_if_does_not_exist' => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ) ? intval( OIDC_CREATE_IF_DOES_NOT_EXIST ) : 1,
+                'redirect_user_back' => defined( 'OIDC_REDIRECT_USER_BACK' ) ? intval( OIDC_REDIRECT_USER_BACK ) : 0,
+                'redirect_on_logout' => defined( 'OIDC_REDIRECT_ON_LOGOUT' ) ? intval( OIDC_REDIRECT_ON_LOGOUT ) : 1,
                 'enable_logging'  => 0,
                 'log_limit'       => 1000,
@@ -371 +383 @@
         add_filter( 'comment_text_rss', array( $plugin, 'enforce_privacy_feeds' ), 999 );
     }
+
+    /**
+     * Create (if needed) and return a singleton of self.
+     *
+     * @return OpenID_Connect_Generic
+     */
+    public static function instance() {
+        if ( null === self::$_instance ) {
+            self::bootstrap();
+        }
+        return self::$_instance;
+    }
 }
 
-OpenID_Connect_Generic::bootstrap();
+OpenID_Connect_Generic::instance();
 
 register_activation_hook( __FILE__, array( 'OpenID_Connect_Generic', 'activation' ) );
 register_deactivation_hook( __FILE__, array( 'OpenID_Connect_Generic', 'deactivation' ) );
+
+// Provide publicly accessible plugin helper functions.
+require_once( 'includes/functions.php' );

daggerhart-openid-connect-generic/tags/3.9.0/readme.txt

@@ -4 +4 @@
 Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso
 Requires at least: 4.9
-Tested up to: 5.7.1
-Stable tag: 3.8.5
-Requires PHP: 7.1
+Tested up to: 5.9.2
+Stable tag: 3.9.0
+Requires PHP: 7.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -52 +52 @@
 == Changelog ==
 
-= 3.8.5
-
-* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
-* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
-* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+= 3.9.0 =
+
+* Feature: @matchaxnb - Added support for additional configuration constants.
+* Feature: @schanzen - Added support for agregated claims.
+* Fix: @rkcreation - Fixed access token not updating user metadata after login.
+* Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
+* Feature: @RobjS - Added plugin singleton to support for more developer customization.
+* Feature: @jkouris - Added action hook to allow custom handling of session expiration.
+* Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
+* Feature: @rkcreation - Added method to refresh the user claim.
+* Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
+* Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
+* Fix: @slykar - Fixed missing query string handling in redirect URL.
+* Fix: @timnolte - Fixed issue with some user linking and user creation handling.
+* Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
+* Security: @timnolte - Updated build tooling security vulnerabilities.
+* Improvement: @timnolte - Changed build tooling scripts.
+
+= 3.8.5 =
+
+* Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
 
 = 3.8.4 =

daggerhart-openid-connect-generic/trunk/CHANGELOG.md

@@ -1 +1 @@
 # OpenId Connect Generic Changelog
 
-3.8.5
-* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
-* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
-* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+3.9.0
 
-3.8.4
-* Fix: @timnolte - Fixed invalid State object access for redirection handling.
-* Improvement: @timnolte - Fixed local wp-env Docker development environment.
-* Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.
+- Feature: @matchaxnb - Added support for additional configuration constants.
+- Feature: @schanzen - Added support for agregated claims.
+- Fix: @rkcreation - Fixed access token not updating user metadata after login.
+- Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
+- Feature: @RobjS - Added plugin singleton to support for more developer customization.
+- Feature: @jkouris - Added action hook to allow custom handling of session expiration.
+- Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
+- Feature: @rkcreation - Added method to refresh the user claim.
+- Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
+- Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
+- Fix: @slykar - Fixed missing query string handling in redirect URL.
+- Fix: @timnolte - Fixed issue with some user linking and user creation handling.
+- Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
+- Security: @timnolte - Updated build tooling security vulnerabilities.
+- Improvement: @timnolte - Changed build tooling scripts.
 
-3.8.3
+  3.8.5
 
-* Fix: @timnolte - Fixed problems with proper redirect handling.
-* Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
-* Improvement: @timnolte - Refactored additional code to meet coding standards.
+- Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+- Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
+- Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
 
-3.8.2
+  3.8.4
 
-* Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
+- Fix: @timnolte - Fixed invalid State object access for redirection handling.
+- Improvement: @timnolte - Fixed local wp-env Docker development environment.
+- Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.
 
-3.8.1
+  3.8.3
 
-* Fix: @timnolte - Prevent SSO redirect on password protected posts.
-* Fix: @timnolte - CI/CD build issues.
-* Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
+- Fix: @timnolte - Fixed problems with proper redirect handling.
+- Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
+- Improvement: @timnolte - Refactored additional code to meet coding standards.
 
-3.8.0
+  3.8.2
 
-* Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
-* Improvement: @timnolte - NPM version requirements for development.
-* Improvement: @timnolte - Travis CI build fixes.
-* Improvement: @timnolte - GrumPHP configuration updates for code contributions.
-* Improvement: @timnolte - Refactored to meet WordPress coding standards.
-* Improvement: @timnolte - Refactored to provide localization.
-* Improvement: @timnolte - Refactored to provide a Docker-based local development environment.
+- Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
 
-3.7.1
+  3.8.1
 
-* Fix: Release Version Number.
+- Fix: @timnolte - Prevent SSO redirect on password protected posts.
+- Fix: @timnolte - CI/CD build issues.
+- Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
 
-3.7.0
+  3.8.0
 
-* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
-* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
+- Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
+- Improvement: @timnolte - NPM version requirements for development.
+- Improvement: @timnolte - Travis CI build fixes.
+- Improvement: @timnolte - GrumPHP configuration updates for code contributions.
+- Improvement: @timnolte - Refactored to meet WordPress coding standards.
+- Improvement: @timnolte - Refactored to provide localization.
+- Improvement: @timnolte - Refactored to provide a Docker-based local development environment.
+
+  3.7.1
+
+- Fix: Release Version Number.
+
+  3.7.0
+
+- Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
+- Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
+
   - Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`.
 
-3.6.0
+    3.6.0
 
-* Improvement: @RobjS - Improved error messages during login state failure.
-* Improvement: @RobjS - New developer filter for login form button URL.
-* Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
-* Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
-* Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
-* Improvement: @flat235 - Username transliteration and normalization.
+- Improvement: @RobjS - Improved error messages during login state failure.
+- Improvement: @RobjS - New developer filter for login form button URL.
+- Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
+- Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
+- Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
+- Improvement: @flat235 - Username transliteration and normalization.
 
-3.5.1
+  3.5.1
 
-* Fix: @daggerhart - New approach to state management using transients.
+- Fix: @daggerhart - New approach to state management using transients.
 
-3.5.0
+  3.5.0
 
-* Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
-* Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
-* Feature: @gassan - New action on use login
-* Fix: @daggerhart - Avoid double question marks in auth url query string
-* Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
-* Syntax change: @mullikine - Change PHP keywords to comply with PSR2
+- Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
+- Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
+- Feature: @gassan - New action on use login
+- Fix: @daggerhart - Avoid double question marks in auth url query string
+- Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
+- Syntax change: @mullikine - Change PHP keywords to comply with PSR2
 
 **3.4.1**
 
-* Minor documentation update and additional error checking.
+- Minor documentation update and additional error checking.
 
 **3.4.0**
 
-* Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
-* Feature: @anttileppa - State time limit can now be changed on the settings page.
-* Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
-* Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url 
+- Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
+- Feature: @anttileppa - State time limit can now be changed on the settings page.
+- Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
+- Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url
 
 **3.3.1**
 
-* Prefixing classes for more efficient autoloading.
-* Avoid altering global wp_remote_post() parameters.
-* Minor metadata updates for wp.org
+- Prefixing classes for more efficient autoloading.
+- Avoid altering global wp_remote_post() parameters.
+- Minor metadata updates for wp.org
 
 **3.3.0**
 
-* Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
+- Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
 
 **3.2.1**
 
-* Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
+- Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
 
 **3.2.0**
 
-* Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
-* Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
-* Feature: New setting to set redirect URL when session expires.
-* Feature: @robbiepaul - New filter for modifying authentication URL
-* Fix: @cedrox - Adding id_token_hint to logout URL according to spec
-* Bug fix: Provide port to the request header when requesting the user_claim
+- Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
+- Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
+- Feature: New setting to set redirect URL when session expires.
+- Feature: @robbiepaul - New filter for modifying authentication URL
+- Fix: @cedrox - Adding id_token_hint to logout URL according to spec
+- Bug fix: Provide port to the request header when requesting the user_claim
 
 **3.1.0**
 
-* Feature: @rwasef1830 - Refresh tokens 
-* Feature: @rwasef1830 - Integrated logout support with end_session endpoint
-* Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
-* Feature: @ahatherly - Support for IDP behind reverse proxy
-* Bug fix: @robertstaddon - case insensitive check for Bearer token
-* Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
-* Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
-* Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
-* UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
+- Feature: @rwasef1830 - Refresh tokens
+- Feature: @rwasef1830 - Integrated logout support with end_session endpoint
+- Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
+- Feature: @ahatherly - Support for IDP behind reverse proxy
+- Bug fix: @robertstaddon - case insensitive check for Bearer token
+- Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
+- Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
+- Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
+- UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
 
 **3.0.8**
 
-* Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
+- Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
   to take action using the fresh claims received when an existing user logs in.
 
 **3.0.7**
 
-* Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in 
-section 5.3.1 of the specs. 
+- Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in
+  section 5.3.1 of the specs.
 
 **3.0.6**
 
-* Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
+- Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
 
 **3.0.5**
 
-* Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
-* Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
+- Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
+- Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
 
 **3.0.4**
 
-* Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
+- Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
 
 **3.0.3**
 
-* Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
-* Bug fix: Incrementing username in case of collision.
-* Bug fix: Wrong error sent when missing token body
+- Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
+- Bug fix: Incrementing username in case of collision.
+- Bug fix: Wrong error sent when missing token body
 
 **3.0.2**
 
-* Added http_request_timeout setting
+- Added http_request_timeout setting
 
 **3.0.1**
 
-* Finalizing 3.0.x api
+- Finalizing 3.0.x api
 
 **3.0**
 
-* Complete rewrite to separate concerns
-* Changed settings keys for clarity (requires updating settings if upgrading from another version)
-* Error logging
+- Complete rewrite to separate concerns
+- Changed settings keys for clarity (requires updating settings if upgrading from another version)
+- Error logging
 
 **2.1**
 
-* Working my way closer to spec. Possible breaking change.  Now checking for preferred_username as priority.
-* New username determination to avoid collisions
+- Working my way closer to spec. Possible breaking change. Now checking for preferred_username as priority.
+- New username determination to avoid collisions
 
 **2.0**
 
 Complete rewrite
-

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client-wrapper.php

@@ -149 +149 @@
      */
     public function get_redirect_to() {
+        // @var WP $wp WordPress environment setup class.
         global $wp;
 
@@ -171 +172 @@
         if ( $this->settings->redirect_user_back ) {
             if ( ! empty( $wp->request ) ) {
-                if ( ! empty( $wp->did_permalink ) && $wp->did_permalink ) {
-                    $redirect_url = home_url( trailingslashit( $wp->request ) );
+                if ( ! empty( $wp->did_permalink ) && boolval( $wp->did_permalink ) === true ) {
+                    $redirect_url = home_url( add_query_arg( $_GET, trailingslashit( $wp->request ) ) );
                 } else {
                     $redirect_url = home_url( add_query_arg( null, null ) );
@@ -211 +212 @@
                 'redirect_uri' => $this->client->get_redirect_uri(),
                 'redirect_to' => $this->get_redirect_to(),
+                'acr_values' => $this->settings->acr_values,
             ),
             $atts,
@@ -225 +227 @@
             $separator = '&';
         }
+
+        $url_format = '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s';
+        if ( ! empty( $atts['acr_values'] ) ) {
+            $url_format .= '&acr_values=%7$s';
+        }
+
         $url = sprintf(
-            '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
+            $url_format,
             $atts['endpoint_login'],
             $separator,
@@ -232 +240 @@
             rawurlencode( $atts['client_id'] ),
             $this->client->new_state( $atts['redirect_to'] ),
-            rawurlencode( $atts['redirect_uri'] )
+            rawurlencode( $atts['redirect_uri'] ),
+            rawurlencode( $atts['acr_values'] )
         );
 
@@ -272 +281 @@
 
         if ( ! $refresh_token || ( $refresh_expires && $current_time > $refresh_expires ) ) {
-            wp_logout();
-
-            if ( $this->settings->redirect_on_logout ) {
-                $this->error_redirect( new WP_Error( 'access-token-expired', __( 'Session expired. Please login again.', 'daggerhart-openid-connect-generic' ) ) );
+            if ( isset( $_SERVER['REQUEST_URI'] ) ) {
+                do_action( 'openid-connect-generic-session-expired', wp_get_current_user(), esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
+                wp_logout();
+
+                if ( $this->settings->redirect_on_logout ) {
+                    $this->error_redirect( new WP_Error( 'access-token-expired', __( 'Session expired. Please login again.', 'daggerhart-openid-connect-generic' ) ) );
+                }
+
+                return;
             }
-
-            return;
         }
 
@@ -295 +307 @@
         }
 
+        update_user_meta( $user_id, 'openid-connect-generic-last-token-response', $token_response );
         $this->save_refresh_token( $manager, $token, $token_response );
     }
@@ -511 +524 @@
         $user = $this->get_user_by_identity( $subject_identity );
 
+        // A pre-existing IDP mapped user wasn't found.
         if ( ! $user ) {
-            if ( $this->settings->create_if_does_not_exist ) {
+            // If linking existing users or creating new ones call the `create_new_user` method which handles both cases.
+            if ( $this->settings->link_existing_users || $this->settings->create_if_does_not_exist ) {
                 $user = $this->create_new_user( $subject_identity, $user_claim );
                 if ( is_wp_error( $user ) ) {
@@ -520 +535 @@
                 $this->error_redirect( new WP_Error( 'identity-not-map-existing-user', __( 'User identity is not linked to an existing WordPress user.', 'daggerhart-openid-connect-generic' ), $user_claim ) );
             }
-        } else {
-            // Allow plugins / themes to take action using current claims on existing user (e.g. update role).
-            do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
         }
 
@@ -535 +547 @@
         $this->login_user( $user, $token_response, $id_token_claim, $user_claim, $subject_identity );
 
+        // Allow plugins / themes to take action once a user is logged in.
         do_action( 'openid-connect-generic-user-logged-in', $user );
 
@@ -581 +594 @@
 
     /**
+     * Refresh user claim.
+     *
+     * @param WP_User $user             The user object.
+     * @param array   $token_response   The token response.
+     *
+     * @return WP_Error|array
+     */
+    public function refresh_user_claim( $user, $token_response ) {
+        $client = $this->client;
+
+        /**
+         * The id_token is used to identify the authenticated user, e.g. for SSO.
+         * The access_token must be used to prove access rights to protected
+         * resources e.g. for the userinfo endpoint
+         */
+        $id_token_claim = $client->get_id_token_claim( $token_response );
+
+        // Allow for other plugins to alter data before validation.
+        $id_token_claim = apply_filters( 'openid-connect-modify-id-token-claim-before-validation', $id_token_claim );
+
+        if ( is_wp_error( $id_token_claim ) ) {
+            return $id_token_claim;
+        }
+
+        // Validate our id_token has required values.
+        $valid = $client->validate_id_token_claim( $id_token_claim );
+
+        if ( is_wp_error( $valid ) ) {
+            return $valid;
+        }
+
+        // If userinfo endpoint is set, exchange the token_response for a user_claim.
+        if ( ! empty( $this->settings->endpoint_userinfo ) && isset( $token_response['access_token'] ) ) {
+            $user_claim = $client->get_user_claim( $token_response );
+        } else {
+            $user_claim = $id_token_claim;
+        }
+
+        if ( is_wp_error( $user_claim ) ) {
+            return $user_claim;
+        }
+
+        // Validate our user_claim has required values.
+        $valid = $client->validate_user_claim( $user_claim, $id_token_claim );
+
+        if ( is_wp_error( $valid ) ) {
+            $this->error_redirect( $valid );
+            return $valid;
+        }
+
+        // Store the tokens for future reference.
+        update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response );
+        update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
+        update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
+
+        return $user_claim;
+    }
+
+    /**
      * Record user meta data, and provide an authorization cookie.
      *
@@ -596 +668 @@
         update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
         update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
+        // Allow plugins / themes to take action using current claims on existing user (e.g. update role).
+        do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
 
         // Create the WP session, so we know its token.
@@ -657 +731 @@
                     ),
                 ),
+                // Override the default blog_id (get_current_blog_id) to find users on different sites of a multisite install.
+                'blog_id' => 0,
             )
         );
 
-        // If we found an existing users, grab the first one returned.
+        // If we found existing users, grab the first one returned.
         if ( $user_query->get_total() > 0 ) {
             $users = $user_query->get_results();
@@ -674 +750 @@
      * @param array $user_claim The IDP authenticated user claim data.
      *
-     * @return string|WP_Error|null
+     * @return string|WP_Error
      */
     private function get_username_from_claim( $user_claim ) {
@@ -684 +760 @@
         if ( ! empty( $this->settings->identity_key ) && isset( $user_claim[ $this->settings->identity_key ] ) ) {
             $desired_username = $user_claim[ $this->settings->identity_key ];
-        } else if ( isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
+        }
+        if ( empty( $desired_username ) && isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
             $desired_username = $user_claim['preferred_username'];
-        } else if ( isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
+        }
+        if ( empty( $desired_username ) && isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
             $desired_username = $user_claim['name'];
-        } else if ( isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
+        }
+        if ( empty( $desired_username ) && isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
             $tmp = explode( '@', $user_claim['email'] );
             $desired_username = $tmp[0];
-        } else {
+        }
+        if ( empty( $desired_username ) ) {
             // Nothing to build a name from.
             return new WP_Error( 'no-username', __( 'No appropriate username found.', 'daggerhart-openid-connect-generic' ), $user_claim );
         }
 
-        // Normalize the data a bit.
-        // @var string $transliterated_username The username converted to ASCII from UTF-8.
-        $transliterated_username = iconv( 'UTF-8', 'ASCII//TRANSLIT', $desired_username );
-        if ( empty( $transliterated_username ) ) {
-            // translators: $1$s is a username from the IDP.
-            return new WP_Error( 'username-transliteration-failed', sprintf( __( 'Username %1$s could not be transliterated.', 'daggerhart-openid-connect-generic' ), $desired_username ), $desired_username );
-        }
-        $normalized_username = strtolower( preg_replace( '/[^a-zA-Z0-9 _.\-@]/', '', $transliterated_username ) );
-        if ( empty( $normalized_username ) ) {
-            // translators: %1$s is the ASCII version of the username from the IDP.
-            return new WP_Error( 'username-normalization-failed', sprintf( __( 'Username %1$s could not be normalized.', 'daggerhart-openid-connect-generic' ), $transliterated_username ), $transliterated_username );
-        }
-
-        // Copy the username for incrementing.
-        $username = ! empty( $normalized_username ) ? $normalized_username : null;
-
-        if ( ! $this->settings->link_existing_users && ! is_null( $username ) ) {
-            // @example Original user gets "name", second user gets "name2", etc.
-            $count = 1;
-            while ( username_exists( $username ) ) {
-                $count ++;
-                $username = $normalized_username . $count;
-            }
-        }
-
-        return $username;
+        // Don't use the full email address for a username.
+        $_desired_username = explode( '@', $desired_username );
+        $desired_username = $_desired_username[0];
+        // Use WordPress Core to sanitize the IDP username.
+        $sanitized_username = sanitize_user( $desired_username, true );
+        if ( empty( $sanitized_username ) ) {
+            // translators: %1$s is the santitized version of the username from the IDP.
+            return new WP_Error( 'username-sanitization-failed', sprintf( __( 'Username %1$s could not be sanitized.', 'daggerhart-openid-connect-generic' ), $desired_username ), $desired_username );
+        }
+
+        return $sanitized_username;
     }
 
@@ -747 +812 @@
 
     /**
+     * Checks if $claimname is in the body or _claim_names of the userinfo.
+     * If yes, returns the claim value. Otherwise, returns false.
+     *
+     * @param string $claimname the claim name to look for.
+     * @param array  $userinfo the JSON to look in.
+     * @param string $claimvalue the source claim value ( from the body of the JWT of the claim source).
+     * @return true|false
+     */
+    private function get_claim( $claimname, $userinfo, &$claimvalue ) {
+        /**
+         * If we find a simple claim, return it.
+         */
+        if ( array_key_exists( $claimname, $userinfo ) ) {
+            $claimvalue = $userinfo[ $claimname ];
+            return true;
+        }
+        /**
+         * If there are no aggregated claims, it is over.
+         */
+        if ( ! array_key_exists( '_claim_names', $userinfo ) ||
+            ! array_key_exists( '_claim_sources', $userinfo ) ) {
+            return false;
+        }
+        $claim_src_ptr = $userinfo['_claim_names'];
+        if ( ! isset( $claim_src_ptr ) ) {
+            return false;
+        }
+        /**
+         * No reference found
+         */
+        if ( ! array_key_exists( $claimname, $claim_src_ptr ) ) {
+            return false;
+        }
+        $src_name = $claim_src_ptr[ $claimname ];
+        // Reference found, but no corresponding JWT. This is a malformed userinfo.
+        if ( ! array_key_exists( $src_name, $userinfo['_claim_sources'] ) ) {
+            return false;
+        }
+        $src = $userinfo['_claim_sources'][ $src_name ];
+        // Source claim is not a JWT. Abort.
+        if ( ! array_key_exists( 'JWT', $src ) ) {
+            return false;
+        }
+        /**
+         * Extract claim from JWT.
+         * FIXME: We probably want to verify the JWT signature/issuer here.
+         * For example, using JWKS if applicable. For symmetrically signed
+         * JWTs (HMAC), we need a way to specify the acceptable secrets
+         * and each possible issuer in the config.
+         */
+        $jwt = $src['JWT'];
+        list ( $header, $body, $rest ) = explode( '.', $jwt, 3 );
+        $body_str = base64_decode( $body, false );
+        if ( ! $body_str ) {
+            return false;
+        }
+        $body_json = json_decode( $body_str, true );
+        if ( ! isset( $body_json ) ) {
+            return false;
+        }
+        if ( ! array_key_exists( $claimname, $body_json ) ) {
+            return false;
+        }
+        $claimvalue = $body_json[ $claimname ];
+        return true;
+    }
+
+
+    /**
      * Build a string from the user claim according to the specified format.
      *
@@ -758 +892 @@
         $matches = null;
         $string = '';
+        $info = '';
         $i = 0;
         if ( preg_match_all( '/\{[^}]*\}/u', $format, $matches, PREG_OFFSET_CAPTURE ) ) {
@@ -763 +898 @@
                 $key = substr( $match[0], 1, -1 );
                 $string .= substr( $format, $i, $match[1] - $i );
-                if ( ! isset( $user_claim[ $key ] ) ) {
+                if ( ! $this->get_claim( $key, $user_claim, $info ) ) {
                     if ( $error_on_missing_key ) {
                         return new WP_Error(
@@ -777 +912 @@
                     }
                 } else {
-                    $string .= $user_claim[ $key ];
+                    $string .= $info;
                 }
                 $i = $match[1] + strlen( $match[0] );
@@ -836 +971 @@
         // Allow claim details to determine username, email, nickname and displayname.
         $_email = $this->get_email_from_claim( $user_claim, true );
-        if ( is_wp_error( $_email ) ) {
+        if ( is_wp_error( $_email ) || empty( $_email ) ) {
             $values_missing = true;
-        } else if ( ! is_null( $_email ) ) {
+        } else {
             $email = $_email;
         }
 
         $_username = $this->get_username_from_claim( $user_claim );
-        if ( is_wp_error( $_username ) ) {
+        if ( is_wp_error( $_username ) || empty( $_username ) ) {
             $values_missing = true;
-        } else if ( ! is_null( $_username ) ) {
+        } else {
             $username = $_username;
         }
 
         $_nickname = $this->get_nickname_from_claim( $user_claim );
-        if ( is_null( $_nickname ) ) {
+        if ( is_wp_error( $_nickname ) || empty( $_nickname ) ) {
             $values_missing = true;
         } else {
@@ -857 +992 @@
 
         $_displayname = $this->get_displayname_from_claim( $user_claim, true );
-        if ( is_wp_error( $_displayname ) ) {
+        if ( is_wp_error( $_displayname ) || empty( $_displayname ) ) {
             $values_missing = true;
-        } else if ( ! is_null( $_displayname ) ) {
+        } else {
             $displayname = $_displayname;
         }
@@ -878 +1013 @@
         if ( is_wp_error( $_email ) ) {
             return $_email;
-        } else if ( ! is_null( $_email ) ) {
+        }
+        // Use the email address from the latest userinfo request if not empty.
+        if ( ! empty( $_email ) ) {
             $email = $_email;
         }
@@ -885 +1022 @@
         if ( is_wp_error( $_username ) ) {
             return $_username;
-        } else if ( ! is_null( $_username ) ) {
+        }
+        // Use the username from the latest userinfo request if not empty.
+        if ( ! empty( $_username ) ) {
             $username = $_username;
         }
@@ -892 +1031 @@
         if ( is_wp_error( $_nickname ) ) {
             return $_nickname;
-        } else if ( is_null( $_nickname ) ) {
+        }
+        // Use the username as the nickname if the userinfo request nickname is empty.
+        if ( empty( $_nickname ) ) {
             $nickname = $username;
         }
@@ -899 +1040 @@
         if ( is_wp_error( $_displayname ) ) {
             return $_displayname;
-        } else if ( is_null( $_displayname ) ) {
+        }
+        // Use the nickname as the displayname if the userinfo request displayname is empty.
+        if ( empty( $_displayname ) ) {
             $displayname = $nickname;
         }
 
-        // Before trying to create the user, first check if a user with the same email already exists.
+        // Before trying to create the user, first check if a matching user exists.
         if ( $this->settings->link_existing_users ) {
+            $uid = null;
             if ( $this->settings->identify_with_username ) {
                 $uid = username_exists( $username );
@@ -910 +1054 @@
                 $uid = email_exists( $email );
             }
-            if ( $uid ) {
+            if ( ! empty( $uid ) ) {
                 $user = $this->update_existing_user( $uid, $subject_identity );
                 do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
@@ -921 +1065 @@
          * based on the returned user claim.
          */
-        $create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim );
+        $create_user = apply_filters( 'openid-connect-generic-user-creation-test', $this->settings->create_if_does_not_exist, $user_claim );
 
         if ( ! $create_user ) {
             return new WP_Error( 'cannot-authorize', __( 'Can not authorize.', 'daggerhart-openid-connect-generic' ), $create_user );
+        }
+
+        // Copy the username for incrementing.
+        $_username = $username;
+        // Ensure prevention of linking usernames & collisions by incrementing the username if it exists.
+        // @example Original user gets "name", second user gets "name2", etc.
+        $count = 1;
+        while ( username_exists( $username ) ) {
+            $count ++;
+            $username = $_username . $count;
         }
 

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client.php

@@ -84 +84 @@
 
     /**
+     * The specifically requested authentication contract at the IDP
+     *
+     * @see OpenID_Connect_Generic_Option_Settings::acr_values
+     *
+     * @var string
+     */
+    private $acr_values;
+
+    /**
      * The state time limit. States are only valid for 3 minutes.
      *
@@ -109 +118 @@
      * @param string                               $endpoint_token    @see OpenID_Connect_Generic_Option_Settings::endpoint_token for description.
      * @param string                               $redirect_uri      @see OpenID_Connect_Generic_Option_Settings::redirect_uri for description.
+     * @param string                               $acr_values        @see OpenID_Connect_Generic_Option_Settings::acr_values for description.
      * @param int                                  $state_time_limit  @see OpenID_Connect_Generic_Option_Settings::state_time_limit for description.
      * @param OpenID_Connect_Generic_Option_Logger $logger            The plugin logging object instance.
      */
-    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $state_time_limit, $logger ) {
+    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $state_time_limit, $logger ) {
         $this->client_id = $client_id;
         $this->client_secret = $client_secret;
@@ -120 +130 @@
         $this->endpoint_token = $endpoint_token;
         $this->redirect_uri = $redirect_uri;
+        $this->acr_values = $acr_values;
         $this->state_time_limit = $state_time_limit;
         $this->logger = $logger;
@@ -213 +224 @@
         );
 
+        if ( ! empty( $this->acr_values ) ) {
+            $request['body'] += array( 'acr_values' => $this->acr_values );
+        }
+
         // Allow modifications to the request.
         $request = apply_filters( 'openid-connect-generic-alter-request', $request, 'get-authentication-token' );
@@ -465 +480 @@
         }
 
+        // Validate acr values when the option is set in the configuration.
+        if ( ! empty( $this->acr_values ) && isset( $id_token_claim['acr'] ) ) {
+            if ( $this->acr_values != $id_token_claim['acr'] ) {
+                return new WP_Error( 'no-match-acr', __( 'No matching acr values.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
+            }
+        }
+
         return true;
     }

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-option-settings.php

@@ -34 +34 @@
  * @property string $endpoint_token       The IDP token validation endpoint URL.
  * @property string $endpoint_end_session The IDP logout endpoint URL.
+ * @property string $acr_values           The Authentication contract as defined on the IDP.
  *
  * Non-standard Settings:
@@ -87 +88 @@
      */
     private $environment_settings = array(
-        'client_id'            => 'OIDC_CLIENT_ID',
-        'client_secret'        => 'OIDC_CLIENT_SECRET',
-        'endpoint_login'       => 'OIDC_ENDPOINT_LOGIN_URL',
-        'endpoint_userinfo'    => 'OIDC_ENDPOINT_USERINFO_URL',
-        'endpoint_token'       => 'OIDC_ENDPOINT_TOKEN_URL',
-        'endpoint_end_session' => 'OIDC_ENDPOINT_LOGOUT_URL',
+        'client_id'                 => 'OIDC_CLIENT_ID',
+        'client_secret'             => 'OIDC_CLIENT_SECRET',
+        'endpoint_end_session'      => 'OIDC_ENDPOINT_LOGOUT_URL',
+        'endpoint_login'            => 'OIDC_ENDPOINT_LOGIN_URL',
+        'endpoint_token'            => 'OIDC_ENDPOINT_TOKEN_URL',
+        'endpoint_userinfo'         => 'OIDC_ENDPOINT_USERINFO_URL',
+        'login_type'                => 'OIDC_LOGIN_TYPE',
+        'scope'                     => 'OIDC_CLIENT_SCOPE',
+        'create_if_does_not_exist'  => 'OIDC_CREATE_IF_DOES_NOT_EXIST',
+        'enforce_privacy'           => 'OIDC_ENFORCE_PRIVACY',
+        'link_existing_users'       => 'OIDC_LINK_EXISTING_USERS',
+        'redirect_on_logout'        => 'OIDC_REDIRECT_ON_LOGOUT',
+        'redirect_user_back'        => 'OIDC_REDIRECT_USER_BACK',
+        'acr_values'                => 'OIDC_ACR_VALUES',
     );
 

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-settings-page.php

@@ -217 +217 @@
                     'auto'   => __( 'Auto Login - SSO', 'daggerhart-openid-connect-generic' ),
                 ),
+                'disabled'    => defined( 'OIDC_LOGIN_TYPE' ),
                 'section'     => 'client_settings',
             ),
@@ -239 +240 @@
                 'example'     => 'email profile openid offline_access',
                 'type'        => 'text',
+                'disabled'    => defined( 'OIDC_CLIENT_SCOPE' ),
                 'section'     => 'client_settings',
             ),
@@ -273 +275 @@
                 'section'     => 'client_settings',
             ),
+            'acr_values'    => array(
+                'title'       => __( 'ACR values', 'daggerhart-openid-connect-generic' ),
+                'description' => __( 'Use a specific defined authentication contract from the IDP - optional.', 'daggerhart-openid-connect-generic' ),
+                'type'        => 'text',
+                'disabled'    => defined( 'OIDC_ACR_VALUES' ),
+                'section'     => 'client_settings',
+            ),
             'identity_key'     => array(
                 'title'       => __( 'Identity Key', 'daggerhart-openid-connect-generic' ),
@@ -298 +307 @@
                 'description' => __( 'Require users be logged in to see the site.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_ENFORCE_PRIVACY' ),
                 'section'     => 'authorization_settings',
             ),
@@ -349 +359 @@
                 'description' => __( 'If a WordPress account already exists with the same identity as a newly-authenticated user over OpenID Connect, login as that user instead of generating an error.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_LINK_EXISTING_USERS' ),
                 'section'     => 'user_settings',
             ),
             'create_if_does_not_exist'   => array(
                 'title'       => __( 'Create user if does not exist', 'daggerhart-openid-connect-generic' ),
-                'description' => __( 'If the user identity is not link to an existing Wordpress user, it is created. If this setting is not enabled and if the user authenticates with an account which is not link to an existing Wordpress user then the authentication failed', 'daggerhart-openid-connect-generic' ),
-                'type'        => 'checkbox',
+                'description' => __( 'If the user identity is not linked to an existing WordPress user, it is created. If this setting is not enabled, and if the user authenticates with an account which is not linked to an existing WordPress user, then the authentication will fail.', 'daggerhart-openid-connect-generic' ),
+                'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ),
                 'section'     => 'user_settings',
             ),
@@ -361 +373 @@
                 'description' => __( 'After a successful OpenID Connect authentication, this will redirect the user back to the page on which they clicked the OpenID Connect login button. This will cause the login process to proceed in a traditional WordPress fashion. For example, users logging in through the default wp-login.php page would end up on the WordPress Dashboard and users logging in through the WooCommerce "My Account" page would end up on their account page.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_REDIRECT_USER_BACK' ),
                 'section'     => 'user_settings',
             ),
@@ -367 +380 @@
                 'description' => __( 'When enabled, this will automatically redirect the user back to the WordPress login page if their access token has expired.', 'daggerhart-openid-connect-generic' ),
                 'type'        => 'checkbox',
+                'disabled'    => defined( 'OIDC_REDIRECT_ON_LOGOUT' ),
                 'section'     => 'user_settings',
             ),
@@ -415 +429 @@
      */
     public function settings_page() {
+        wp_enqueue_style( 'daggerhart-openid-connect-generic-admin', plugin_dir_url( __DIR__ ) . 'css/styles-admin.css', array(), OpenID_Connect_Generic::VERSION, 'all' );
+
         $redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
 
@@ -473 +489 @@
         ?>
         <input type="<?php print esc_attr( $field['type'] ); ?>"
-                <?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) ) ? ' disabled' : ''; ?>
+                <?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) === true ) ? ' disabled' : ''; ?>
               id="<?php print esc_attr( $field['key'] ); ?>"
-              class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) ) ? ' disabled' : ''; ?>"
+              class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) === true ) ? ' disabled' : ''; ?>"
               name="<?php print esc_attr( $field['name'] ); ?>"
               value="<?php print esc_attr( $this->settings->{ $field['key'] } ); ?>">
@@ -531 +547 @@
         ?>
         <p class="description">
-            <?php print esc_html( $field['description'] ); ?>
+            <?php print wp_kses_post( $field['description'] ); ?>
             <?php if ( isset( $field['example'] ) ) : ?>
                 <br/><strong><?php esc_html_e( 'Example', 'daggerhart-openid-connect-generic' ); ?>: </strong>

daggerhart-openid-connect-generic/trunk/languages/openid-connect-generic.pot

@@ -1 @@
-# Copyright (C) 2021 daggerhart
+# Copyright (C) 2022 daggerhart
 # This file is distributed under the GPL-2.0+.
 msgid ""
 msgstr ""
-"Project-Id-Version: OpenID Connect Generic 3.8.5\n"
+"Project-Id-Version: OpenID Connect Generic 3.9.0\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/daggerhart/openid-connect-generic/issues\n"
-"POT-Creation-Date: 2021-04-16 03:38:39+00:00\n"
+"POT-Creation-Date: 2022-03-22 03:28:37+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2021-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2022-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -26 +26 @@
 "X-Generator: grunt-wp-i18n 1.0.3\n"
 
-#: includes/openid-connect-generic-client-wrapper.php:277
+#: includes/openid-connect-generic-client-wrapper.php:288
 msgid "Session expired. Please login again."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:520
+#: includes/openid-connect-generic-client-wrapper.php:535
 msgid "User identity is not linked to an existing WordPress user."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:576
+#: includes/openid-connect-generic-client-wrapper.php:589
 msgid "Invalid user."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:695
+#: includes/openid-connect-generic-client-wrapper.php:775
 msgid "No appropriate username found."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:703
-#. translators: $1$s is a username from the IDP.
-msgid "Username %1$s could not be transliterated."
-msgstr ""
-
-#: includes/openid-connect-generic-client-wrapper.php:708
-#. translators: %1$s is the ASCII version of the username from the IDP.
-msgid "Username %1$s could not be normalized."
-msgstr ""
-
-#: includes/openid-connect-generic-client-wrapper.php:742
+#: includes/openid-connect-generic-client-wrapper.php:785
+#. translators: %1$s is the santitized version of the username from the IDP.
+msgid "Username %1$s could not be sanitized."
+msgstr ""
+
+#: includes/openid-connect-generic-client-wrapper.php:807
 #. translators: %1$s is the configured User Claim nickname key.
 msgid "No nickname found in user claim using key: %1$s."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:769
+#: includes/openid-connect-generic-client-wrapper.php:904
 msgid "User claim incomplete."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:871
+#: includes/openid-connect-generic-client-wrapper.php:1006
 msgid "Bad user claim result."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:926
+#: includes/openid-connect-generic-client-wrapper.php:1070
 msgid "Can not authorize."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:945
+#: includes/openid-connect-generic-client-wrapper.php:1099
 msgid "Failed user creation."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:165
+#: includes/openid-connect-generic-client.php:176
 msgid "Missing state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:169
+#: includes/openid-connect-generic-client.php:180
 msgid "Invalid state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:184
+#: includes/openid-connect-generic-client.php:195
 msgid "Missing authentication code."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:223
+#: includes/openid-connect-generic-client.php:238
 msgid "Request for authentication token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:254
+#: includes/openid-connect-generic-client.php:269
 msgid "Refresh token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:269
+#: includes/openid-connect-generic-client.php:284
 msgid "Missing token body."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:277
+#: includes/openid-connect-generic-client.php:292
 msgid "Invalid token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:328
+#: includes/openid-connect-generic-client.php:343
 msgid "Request for userinfo failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:388
+#: includes/openid-connect-generic-client.php:403
 msgid "Missing authentication state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:425
+#: includes/openid-connect-generic-client.php:440
 msgid "No identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:432
+#: includes/openid-connect-generic-client.php:447
 msgid "Missing identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:459
+#: includes/openid-connect-generic-client.php:474
 msgid "Bad ID token claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:464
+#: includes/openid-connect-generic-client.php:479
 msgid "No subject identity."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:483
+#: includes/openid-connect-generic-client.php:485
+msgid "No matching acr values."
+msgstr ""
+
+#: includes/openid-connect-generic-client.php:505
 msgid "Bad user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:503
+#: includes/openid-connect-generic-client.php:525
 msgid "Invalid user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:508
+#: includes/openid-connect-generic-client.php:530
 msgid "Error from the IDP."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:517
+#: includes/openid-connect-generic-client.php:539
 msgid "Incorrect user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:524
+#: includes/openid-connect-generic-client.php:546
 msgid "Unauthorized access."
 msgstr ""
@@ -210 +209 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:222
+#: includes/openid-connect-generic-settings-page.php:223
 msgid "Client ID"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:223
+#: includes/openid-connect-generic-settings-page.php:224
 msgid ""
 "The ID this client will be recognized as when connecting the to Identity "
@@ -220 +219 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:230
+#: includes/openid-connect-generic-settings-page.php:231
 msgid "Client Secret Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:231
+#: includes/openid-connect-generic-settings-page.php:232
 msgid ""
 "Arbitrary secret key the server expects from this client. Can be anything, "
@@ -230 +229 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:237
+#: includes/openid-connect-generic-settings-page.php:238
 msgid "OpenID Scope"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:238
+#: includes/openid-connect-generic-settings-page.php:239
 msgid "Space separated list of scopes this client should access."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:244
+#: includes/openid-connect-generic-settings-page.php:246
 msgid "Login Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:245
+#: includes/openid-connect-generic-settings-page.php:247
 msgid "Identify provider authorization endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:252
+#: includes/openid-connect-generic-settings-page.php:254
 msgid "Userinfo Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:253
+#: includes/openid-connect-generic-settings-page.php:255
 msgid "Identify provider User information endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:260
+#: includes/openid-connect-generic-settings-page.php:262
 msgid "Token Validation Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:261
+#: includes/openid-connect-generic-settings-page.php:263
 msgid "Identify provider token endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:268
+#: includes/openid-connect-generic-settings-page.php:270
 msgid "End Session Endpoint URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:269
+#: includes/openid-connect-generic-settings-page.php:271
 msgid "Identify provider logout endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:276
+#: includes/openid-connect-generic-settings-page.php:278
+msgid "ACR values"
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:279
+msgid "Use a specific defined authentication contract from the IDP - optional."
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:285
 msgid "Identity Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:277
+#: includes/openid-connect-generic-settings-page.php:286
 msgid ""
 "Where in the user claim array to find the user's identification data. "
@@ -281 +288 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:283
+#: includes/openid-connect-generic-settings-page.php:292
 msgid "Disable SSL Verify"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:285
+#: includes/openid-connect-generic-settings-page.php:294
 #. translators: %1$s HTML tags for layout/styles, %2$s closing HTML tag for
 #. styles.
@@ -296 +303 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:290
+#: includes/openid-connect-generic-settings-page.php:299
 msgid "HTTP Request Timeout"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:291
+#: includes/openid-connect-generic-settings-page.php:300
 msgid "Set the timeout for requests made to the IDP. Default value is 5."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:297
+#: includes/openid-connect-generic-settings-page.php:306
 msgid "Enforce Privacy"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:298
+#: includes/openid-connect-generic-settings-page.php:307
 msgid "Require users be logged in to see the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:303
+#: includes/openid-connect-generic-settings-page.php:313
 msgid "Alternate Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:304
+#: includes/openid-connect-generic-settings-page.php:314
 msgid ""
 "Provide an alternative redirect route. Useful if your server is causing "
@@ -324 +331 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:309
+#: includes/openid-connect-generic-settings-page.php:319
 msgid "Nickname Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:310
+#: includes/openid-connect-generic-settings-page.php:320
 msgid ""
 "Where in the user claim array to find the user's nickname. Possible "
@@ -334 +341 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:316
+#: includes/openid-connect-generic-settings-page.php:326
 msgid "Email Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:317
+#: includes/openid-connect-generic-settings-page.php:327
 msgid ""
 "String from which the user's email address is built. Specify \"{email}\" as "
@@ -344 +351 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:323
+#: includes/openid-connect-generic-settings-page.php:333
 msgid "Display Name Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:324
+#: includes/openid-connect-generic-settings-page.php:334
 msgid "String from which the user's display name is built."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:330
+#: includes/openid-connect-generic-settings-page.php:340
 msgid "Identify with User Name"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:331
+#: includes/openid-connect-generic-settings-page.php:341
 msgid ""
 "If checked, the user's identity will be determined by the user name instead "
@@ -362 +369 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:336
+#: includes/openid-connect-generic-settings-page.php:346
 msgid "State time limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:337
+#: includes/openid-connect-generic-settings-page.php:347
 msgid "State valid time in seconds. Defaults to 180"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:342
+#: includes/openid-connect-generic-settings-page.php:352
 msgid "Enable Refresh Token"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:343
+#: includes/openid-connect-generic-settings-page.php:353
 msgid ""
 "If checked, support refresh tokens used to obtain access tokens from "
@@ -380 +387 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:348
+#: includes/openid-connect-generic-settings-page.php:358
 msgid "Link Existing Users"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:349
+#: includes/openid-connect-generic-settings-page.php:359
 msgid ""
 "If a WordPress account already exists with the same identity as a "
@@ -391 +398 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:354
+#: includes/openid-connect-generic-settings-page.php:365
 msgid "Create user if does not exist"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:355
-msgid ""
-"If the user identity is not link to an existing Wordpress user, it is "
-"created. If this setting is not enabled and if the user authenticates with "
-"an account which is not link to an existing Wordpress user then the "
-"authentication failed"
-msgstr ""
-
-#: includes/openid-connect-generic-settings-page.php:360
+#: includes/openid-connect-generic-settings-page.php:366
+msgid ""
+"If the user identity is not linked to an existing WordPress user, it is "
+"created. If this setting is not enabled, and if the user authenticates with "
+"an account which is not linked to an existing WordPress user, then the "
+"authentication will fail."
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:372
 msgid "Redirect Back to Origin Page"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:361
+#: includes/openid-connect-generic-settings-page.php:373
 msgid ""
 "After a successful OpenID Connect authentication, this will redirect the "
@@ -418 +425 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:366
+#: includes/openid-connect-generic-settings-page.php:379
 msgid "Redirect to the login screen when session is expired"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:367
+#: includes/openid-connect-generic-settings-page.php:380
 msgid ""
 "When enabled, this will automatically redirect the user back to the "
@@ -428 +435 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:372
+#: includes/openid-connect-generic-settings-page.php:386
 msgid "Enable Logging"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:373
+#: includes/openid-connect-generic-settings-page.php:387
 msgid "Very simple log messages for debugging purposes."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:378
+#: includes/openid-connect-generic-settings-page.php:392
 msgid "Log Limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:379
+#: includes/openid-connect-generic-settings-page.php:393
 msgid ""
 "Number of items to keep in the log. These logs are stored as an option in "
@@ -446 +453 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:439
+#: includes/openid-connect-generic-settings-page.php:455
 msgid "Notes"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:442
+#: includes/openid-connect-generic-settings-page.php:458
 msgid "Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:446
+#: includes/openid-connect-generic-settings-page.php:462
 msgid "Login Button Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:450
+#: includes/openid-connect-generic-settings-page.php:466
 msgid "Authentication URL Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:455
+#: includes/openid-connect-generic-settings-page.php:471
 msgid "Logs"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:535
+#: includes/openid-connect-generic-settings-page.php:551
 msgid "Example"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:548
+#: includes/openid-connect-generic-settings-page.php:564
 msgid "Enter your OpenID Connect identity provider settings."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:557
+#: includes/openid-connect-generic-settings-page.php:573
 msgid "Modify the interaction between OpenID Connect and WordPress users."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:566
+#: includes/openid-connect-generic-settings-page.php:582
 msgid "Control the authorization mechanics of the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:575
+#: includes/openid-connect-generic-settings-page.php:591
 msgid "Log information about login attempts through OpenID Connect Generic."
 msgstr ""
 
-#: openid-connect-generic.php:202
+#: openid-connect-generic.php:213
 msgid "Private site"
 msgstr ""

daggerhart-openid-connect-generic/trunk/openid-connect-generic.php

@@ -17 +17 @@
  * Plugin URI:        https://github.com/daggerhart/openid-connect-generic
  * Description:       Connect to an OpenID Connect generic client using Authorization Code Flow.
- * Version:           3.8.5
+ * Version:           3.9.0
+ * Requires at least: 4.9
+ * Requires PHP:      7.2
  * Author:            daggerhart
  * Author URI:        http://www.daggerhart.com
@@ -45 +47 @@
 
   Actions
-  - openid-connect-generic-user-create        - 2 args: fires when a new user is created by this plugin
-  - openid-connect-generic-user-update        - 1 arg: user ID, fires when user is updated by this plugin
-  - openid-connect-generic-update-user-using-current-claim - 2 args: fires every time an existing user logs
-  - openid-connect-generic-redirect-user-back - 2 args: $redirect_url, $user. Allows interruption of redirect during login.
-  - openid-connect-generic-user-logged-in     - 1 arg: $user, fires when user is logged in.
-  - openid-connect-generic-cron-daily         - daily cron action
-  - openid-connect-generic-state-not-found    - the given state does not exist in the database, regardless of its expiration.
-  - openid-connect-generic-state-expired      - the given state exists, but expired before this login attempt.
+  - openid-connect-generic-user-create                     - 2 args: fires when a new user is created by this plugin
+  - openid-connect-generic-user-update                     - 1 arg: user ID, fires when user is updated by this plugin
+  - openid-connect-generic-update-user-using-current-claim - 2 args: fires every time an existing user logs in and the claims are updated.
+  - openid-connect-generic-redirect-user-back              - 2 args: $redirect_url, $user. Allows interruption of redirect during login.
+  - openid-connect-generic-user-logged-in                  - 1 arg: $user, fires when user is logged in.
+  - openid-connect-generic-cron-daily                      - daily cron action
+  - openid-connect-generic-state-not-found                 - the given state does not exist in the database, regardless of its expiration.
+  - openid-connect-generic-state-expired                   - the given state exists, but expired before this login attempt.
+
+  Callable actions
 
   User Meta
@@ -77 +81 @@
 
     /**
+     * Singleton instance of self
+     *
+     * @var OpenID_Connect_Generic
+     */
+    protected static $_instance = null;
+
+    /**
      * Plugin version.
      *
-     * @var
-     */
-    const VERSION = '3.8.5';
+     * @var string
+     */
+    const VERSION = '3.9.0';
 
     /**
@@ -109 +120 @@
      * @var OpenID_Connect_Generic_Client_Wrapper
      */
-    private $client_wrapper;
+    public $client_wrapper;
 
     /**
@@ -122 +133 @@
         $this->settings = $settings;
         $this->logger = $logger;
+        self::$_instance = $this;
     }
 
@@ -130 +142 @@
      */
     public function init() {
-
-        wp_enqueue_style( 'daggerhart-openid-connect-generic-admin', plugin_dir_url( __FILE__ ) . 'css/styles-admin.css', array(), self::VERSION, 'all' );
 
         $redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
@@ -152 +162 @@
             $this->settings->endpoint_token,
             $redirect_uri,
+            $this->settings->acr_values,
             $state_time_limit,
             $this->logger
@@ -328 +339 @@
             array(
                 // OAuth client settings.
-                'login_type'           => 'button',
+                'login_type'           => defined( 'OIDC_LOGIN_TYPE' ) ? OIDC_LOGIN_TYPE : 'button',
                 'client_id'            => defined( 'OIDC_CLIENT_ID' ) ? OIDC_CLIENT_ID : '',
                 'client_secret'        => defined( 'OIDC_CLIENT_SECRET' ) ? OIDC_CLIENT_SECRET : '',
-                'scope'                => '',
+                'scope'                => defined( 'OIDC_CLIENT_SCOPE' ) ? OIDC_CLIENT_SCOPE : '',
                 'endpoint_login'       => defined( 'OIDC_ENDPOINT_LOGIN_URL' ) ? OIDC_ENDPOINT_LOGIN_URL : '',
                 'endpoint_userinfo'    => defined( 'OIDC_ENDPOINT_USERINFO_URL' ) ? OIDC_ENDPOINT_USERINFO_URL : '',
                 'endpoint_token'       => defined( 'OIDC_ENDPOINT_TOKEN_URL' ) ? OIDC_ENDPOINT_TOKEN_URL : '',
                 'endpoint_end_session' => defined( 'OIDC_ENDPOINT_LOGOUT_URL' ) ? OIDC_ENDPOINT_LOGOUT_URL : '',
+                'acr_values'           => defined( 'OIDC_ACR_VALUES' ) ? OIDC_ACR_VALUES : '',
 
                 // Non-standard settings.
@@ -347 +359 @@
 
                 // Plugin settings.
-                'enforce_privacy' => 0,
+                'enforce_privacy' => defined( 'OIDC_ENFORCE_PRIVACY' ) ? intval( OIDC_ENFORCE_PRIVACY ) : 0,
                 'alternate_redirect_uri' => 0,
                 'token_refresh_enable' => 1,
-                'link_existing_users' => 0,
-                'create_if_does_not_exist' => 1,
-                'redirect_user_back' => 0,
-                'redirect_on_logout' => 1,
+                'link_existing_users' => defined( 'OIDC_LINK_EXISTING_USERS' ) ? intval( OIDC_LINK_EXISTING_USERS ) : 0,
+                'create_if_does_not_exist' => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ) ? intval( OIDC_CREATE_IF_DOES_NOT_EXIST ) : 1,
+                'redirect_user_back' => defined( 'OIDC_REDIRECT_USER_BACK' ) ? intval( OIDC_REDIRECT_USER_BACK ) : 0,
+                'redirect_on_logout' => defined( 'OIDC_REDIRECT_ON_LOGOUT' ) ? intval( OIDC_REDIRECT_ON_LOGOUT ) : 1,
                 'enable_logging'  => 0,
                 'log_limit'       => 1000,
@@ -371 +383 @@
         add_filter( 'comment_text_rss', array( $plugin, 'enforce_privacy_feeds' ), 999 );
     }
+
+    /**
+     * Create (if needed) and return a singleton of self.
+     *
+     * @return OpenID_Connect_Generic
+     */
+    public static function instance() {
+        if ( null === self::$_instance ) {
+            self::bootstrap();
+        }
+        return self::$_instance;
+    }
 }
 
-OpenID_Connect_Generic::bootstrap();
+OpenID_Connect_Generic::instance();
 
 register_activation_hook( __FILE__, array( 'OpenID_Connect_Generic', 'activation' ) );
 register_deactivation_hook( __FILE__, array( 'OpenID_Connect_Generic', 'deactivation' ) );
+
+// Provide publicly accessible plugin helper functions.
+require_once( 'includes/functions.php' );

daggerhart-openid-connect-generic/trunk/readme.txt

@@ -4 +4 @@
 Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso
 Requires at least: 4.9
-Tested up to: 5.7.1
-Stable tag: 3.8.5
-Requires PHP: 7.1
+Tested up to: 5.9.2
+Stable tag: 3.9.0
+Requires PHP: 7.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -52 +52 @@
 == Changelog ==
 
-= 3.8.5
-
-* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
-* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
-* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
+= 3.9.0 =
+
+* Feature: @matchaxnb - Added support for additional configuration constants.
+* Feature: @schanzen - Added support for agregated claims.
+* Fix: @rkcreation - Fixed access token not updating user metadata after login.
+* Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
+* Feature: @RobjS - Added plugin singleton to support for more developer customization.
+* Feature: @jkouris - Added action hook to allow custom handling of session expiration.
+* Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
+* Feature: @rkcreation - Added method to refresh the user claim.
+* Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
+* Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
+* Fix: @slykar - Fixed missing query string handling in redirect URL.
+* Fix: @timnolte - Fixed issue with some user linking and user creation handling.
+* Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
+* Security: @timnolte - Updated build tooling security vulnerabilities.
+* Improvement: @timnolte - Changed build tooling scripts.
+
+= 3.8.5 =
+
+* Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
+* Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
+* Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
 
 = 3.8.4 =