openid-connect-generic
openid-connect-generic copied to clipboard
oidc-wp
fix(tokens): Fixes the potential of deleting a working refresh_token when no new one is available
All Submissions:
- [x] Have you followed the plugin Contributing guideline?
- [x] Does your code follow the WordPress' coding standards?
- [x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
Changes proposed in this Pull Request:
save_refresh_token() disregard the existing and still valid refresh_token and replace it with false (since the response to a renewal does not contain it)
Closes #404
How to test the changes in this Pull Request:
- Use Google OIDC with refresh token
add_filter( 'openid-connect-generic-auth-url', function( string $url ) {
return $url . '&access_type=offline&prompt=consent';
});
- Connect
- See from your logs that, without this PR you're disconnect after 1h (the first call to
refresh_token)
Other information:
- [x] Have you added an explanation of what your changes do and why you'd like us to include them?
- [ ] Have you written new tests for your changes, as applicable?
- [ ] Have you successfully run tests with your changes locally?
Changelog entry
Do not empty refresh_token if renewed access tokens do not come with new refresh_token.
We have been using this in -production to fix our GSuite 1h-disconnection problems and this has been confirmed to work.
@drzraf so actually, in doing some digging on this subject to make sure that things are being handled properly, and to specs. I happened upon an actual reason for why you were having this issue. It has been on the table to quite some time to replace much of the core functionality with a standard Composer package. I happened upon this issue:
https://github.com/jumbojett/OpenID-Connect-PHP/issues/286
Which further took me here:
https://stackoverflow.com/a/65702100
Basically, what is happening is that once you authenticate the first time with Google you won't get a new refresh token un later requests without using prompt=consent or approval_prompt=force and access_type=offline. This is apparently not well documented with Google/GSuite. I'm not inclined to include this PR as I think there is more to the fix that is really required.
An additional follow-up that I happened to come across this MU Plugin that is essentially an add-on for this plugin that addresses the Google refresh token issue.
https://gitlab.com/animalequality/wp-openid/-/blob/master/wp-openid.php
https://gitlab.com/animalequality/wp-openid/-/blob/master/wp-openid.php
I wrote this code, and having a filter to customize the request (adding prompt=consent) is nice but it doesn't free this plugin from the responsibility of behaving correctly by not emptying an existing/valid refresh token which is what this PR is about.
@drzraf from what I see this isn't some clear problem specifically with this plugin as an issue with Google specifically. I didn't close the PR or issue I simply postponed it until I can find some very clear documentation on all of the handling and can test with other IDPs. The very fact the the code submitted has a comment regarding the scenario of what if the token was actually expired and the comment said "dunno" is not a very confident response to the proper way this should be handled.
All of the notes I made were in regards to doing actual research into this issue to ensure that the correct solution is implemented and not just something that appears to be a fox for 1 IDP or use case.