openid-connect-generic
openid-connect-generic copied to clipboard
oidc-wp
Redirect not working at subsite level (unless specifically configured for that particular subsite)
Hi folks,
We're seeing an issue where, with multisite enabled, the authentication for each subsite is delegated to the plug-in configuration at the subsite level (which is empty) instead of the main site (where the OIDC plug-in is configured). In essence:
- url.com/wordpress redirects to the OIDC provider
- url.com/wordpress/mysite does not redirect Even if we could manually configure the plug-in for each individual subsite, we would still see a problem with having to add each subsite's Redirect URI to the OIDC configuration (wildcards unfortunately are not allowed over there).
Is there some glaring configuration we're missing or is this scenario simply not supported?
Many thanks, Liviu
I'm not sure the multisite has been sufficiently tested. I'll have to look at setting up a couple of multisite instances using subdirectory & subdomain and do some testing.
I too am having issues with WP Multi-site installations. Ours sub-sites are at separate subdomains rather than different /paths. The plugin works for the root site but for any sub-sites at one of the sub-domains we get "invalid-user-claim" as the error. Our settings are identical on the sub-sites as they are on the root site. I'm going to fork and see if I can fix this and then submit a PR.
We have a mix of subsites and sites with external domains on our multisite installation. Our solution to this problem is that login page of the subsites get redirected to the main site (with a "?redirect_to=" addition). So you only need a single redirect_uri for the connection with the IDP. The external domains are not redirected, but do have to be manually added to the redirect_uri list on our IDP. We have not found a way past this.
@frietboer May I kindly ask you how you did it? I currently have the same problem and like your solution. So basically I use this method in the init hook, which redirects me to the login page of the primary site with a proper redirect_to:
public function redirect_to_primary_login_page(): void {
global $pagenow;
if ( $pagenow !== 'wp-login.php' ) {
return;
}
if ( isset( $_GET['action'] ) && \sanitize_text_field( \wp_unslash( $_GET['action'] ) ) === 'logout' ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
return;
}
// do nothing for main site ID
if ( \get_current_blog_id() === \get_main_site_id() ) {
return;
}
$redirect_to = \filter_input( \INPUT_GET, 'redirect_to', \FILTER_SANITIZE_URL );
if ( ! $redirect_to ) {
$redirect_to = \admin_url();
}
\switch_to_blog( \get_main_site_id() );
\wp_safe_redirect( \wp_login_url( $redirect_to ) );
\restore_current_blog();
exit;
}
However, since the the redirect URI of the plugin stays the same, which means domain.tld/wp-admin/admin-ajax.php?action?openid-connect-authorize, the login redirects to this page, which is then redirected to domain.tld instead of the redirect_to I’ve added to the login URL.
Did I miss something here? (The login mechanism itself does work, though!)
I just stored the redirect to in a cookie now and redirect it after the login if it’s set.
I had to add the mapped sites to a whitelist to get this working:
// Filter to add all subdomains to wp_safe_redirect whitelist, if single site ignore... add_filter( "allowed_redirect_hosts", "uu_whitelist_all_subdomains" );
function uu_whitelist_all_subdomains( $hosts ) {
if(is_multisite()) {
$sites = get_sites( array("number" => 5000 ) );
$domains = array();
foreach ( $sites as $site ) {
$domains[] = $site->domain;
}
return array_merge( $hosts, $domains );
} else {
return $hosts;
}
}
maybe this was the issue?
(sorry the code function is not working properly on my browser...?)
Thank you, I will take a look into it. For my cookie method I also added the hosts accordingly since I wanted to use wp_safe_redirect here.