Redirect Back to Origin & Too Many Redirects (Azure AD confirmed)

[timnolte]

Describe the bug

A clear and concise description of what the bug is. Please be as descriptive as possible; issues lacking detail, or for any other reason than to report a bug, may be closed without action.

When the "Redirect Back to Origin" option is turned on a condition can arise, confirmed with Azure AD, where the WordPress site enters a redirect loop causing a "Too man redirects" error and multiple attempts to reused the authentication code with Azure IDP ending in an error. However, navigating directly to the WordPress Dashboard after the error seems to allow users to access the Dashboard. However, if an attempt is made to manually click the SSO login button on the login screen after the authentication code related error occurs then the too many redirects issues continues to happen.

To Reproduce Steps to reproduce the behavior:

1. Auto-SSO turned on & Redirect Back to Origin.
2. Navigate to the WordPress login screen.
3. Authenticate with Azure AD.
4. See browser redirects error, and then ultimately a grants error related to the authentication code being reused.

Expected behavior

A clear and concise description of what you expected to happen.

With "Redirect Back to Origin" enabled redirect handling should be setup to prevent a potential redirection loop.

Isolating the problem (mark completed items with an [x]):

• [x] I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
• [x] This bug happens with a default WordPress theme active.
• [ ] I can reproduce this bug consistently using the steps above. (No)

WordPress Environment

• Website URL: https://www.generationafricavoices.org/
• PHP Version: 7.3
• WordPress Version: 5.4.x
• Plugin Version: 3.8.5
• Identity Provider: Azure AD
• Relevant Plugin Settings: Redirect Back to Origin enabled.

[timnolte]

Additional testing, on a different site that is presenting the issue, shows that after Azure AD authenticates the user and sends them back to the Redirect URI a redirection to the WordPress Dashboard is happening but it is triggering an SSO login attempt/redirect again.

[timnolte]

Looking at user metadata and it appears in test cases that the session_tokens is blowing up with many tokens all being present. On the particular case where this is happening there is Azure AD to WordPress Role mapping setup. This is currently being accomplished by removing all of a user's roles, adding the mapped roles, and then removing the user's session data and calling wp_login log the user back in. However, this logic may in fact be attributing to the cause of the redirect loop.

[CyberSauce]

Looking at user metadata and it appears in test cases that the session_tokens is blowing up with many tokens all being present. On the particular case where this is happening there is Azure AD to WordPress Role mapping setup. This is currently being accomplished by removing all of a user's roles, adding the mapped roles, and then removing the user's session data and calling wp_login log the user back in. However, this logic may in fact be attributing to the cause of the redirect loop.

I am now getting this error too. After just recently posting my trouble. Is there a solution?

[timnolte]

No there isn't a solution as there is no consistent way to reproduce the issue as of yet.

[timnolte]

Latest investigation indicates that Cloudflare full page caching on a WordPress site seems to attribute to this issue. In testing environments, without Cloudflare, I cannot reproduce this issue. Further investigation is needed to determine a fix while running under Cloudflare full page caching.

[timnolte]

Further testing and production observations indicate there is also an issue with how sites are configured to redirect users from HTTP->HTTPS. If the site manages to load in some form and captures a redirect URL of http but the configured redirect URI is https in the IDP this seems to cause an issue with too many redirects as well.