openid-connect-generic icon indicating copy to clipboard operation
openid-connect-generic copied to clipboard

Published 20 hours ago verified publisher icon oidc-wp

Lost 'code' during token request in OpenID Connect

Open lokzzor opened this issue 8 months ago • 4 comments

Describe the bug After authentication through the OIDC provider, when requesting a token, the code is lost.

To Reproduce Steps to reproduce the behavior:

  1. Install and activate the OpenID Connect - Generic Client plugin.
  2. Fill in the fields: Client ID, Client Secret Key, OpenID Scope, Login Endpoint URL, Userinfo Endpoint URL, Token Validation Endpoint URL.
  3. Enable logging.
  4. Enable Alternate Redirect URI without updating permalinks.
  5. Attempt to authenticate and observe the response.

Screenshots Not applicable.

Expected behavior The code should be correctly received and used to request the token.

Isolating the problem (mark completed items with an [x]):

  • [x] I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
  • [x] This bug happens with a default WordPress theme active.
  • [x] I can reproduce this bug consistently using the steps above.

WordPress Environment

  • PHP Version: 8
  • WordPress Version: 6.5.4
  • Plugin Version: 3.10.0
  • Relevant Plugin Settings: Enabled logging, Alternate Redirect URI

Additional Logs

Here are the relevant logs: Date: 2024-06-11 12:51:06 Type: make_authentication_url User: 0 URI: /wp-login.php?login-error=invalid-token-response&message=Invalid+token+response Response Time (sec): string(205) "https:/hide/cgi-bin/authorize?response_type=code&scope=email%20userinfo&client_id=hide&state=hide&redirect_uri=http%3A%2F%2Fhide%2Fopenid-connect-authorize" Date: 2024-06-11 12:51:06 Type: invalid-token-response URI: /openid-connect-authorize?code=&state=hide Response Time (sec): string(22) "Invalid token response" Date: 2024-06-11 12:51:06 Type: request_authentication_token URI: /openid-connect-authorize?code=&state=hide Response Time (sec): string(35) "https://hide/cgi-bin/token" Type: make_authentication_url string(205) "https://hide/cgi-bin/authorize?response_type=code&scope=email%20userinfo&client_id=hide&state=hide&redirect_uri=hide%2Fopenid-connect-authorize" P.s I enabled the Alternate Redirect URI without updating the permalinks, which redirected to a non-existent page with /openid-connect-authorize?code=*&state=**. At this point, I realized that the code is being sent to the application.

lokzzor avatar Jun 11 '24 13:06 lokzzor