aad-sso-wordpress icon indicating copy to clipboard operation
aad-sso-wordpress copied to clipboard
verified publisher icon psignoret

Allow for use of env variables to set redirect URIs

Open StoneWaves opened this issue 7 years ago • 7 comments

Load redirect_uri and logout_redirect_uri from an environment variable if its set, otherwise use the value stored in the database.
This allows the redirect uris to be set dynamically for review applications without needing to change a value in the database.

StoneWaves avatar Feb 26 '18 12:02 StoneWaves

Thanks for the pull request! Would you mind elaborating a bit on how this would be used? Could you provide a bit more details on your scenario?

psignoret avatar Feb 26 '18 20:02 psignoret

Would this be better off filtered/hooked instead of using env, so that the behavior could be managed by WordPress plugins?

bradkovach avatar Feb 26 '18 20:02 bradkovach

We have various dynamically generated review environments that share the same database for testing purposes.
This would allow us to override the value that's stored in the database with the URL of each site allowing us to use the plugin for that site and not get redirected somewhere else.

StoneWaves avatar Feb 27 '18 10:02 StoneWaves

Thanks @StoneWaves, that makes sense. I agree with @bradkovach that this would be better implemented with a filter/hook so that the entire config can be overwritten by a different plugin in a more WordPress-y way.

Because this is some very sensitive configuration, we might want to have another setting (one which would not filterable) that enables the filter (e.g. "Allow other plugins to overwrite these settings")). (Though whether or not this is useful is debatable, since another plugin could still get to this data anyway.)

psignoret avatar Feb 27 '18 17:02 psignoret

A define could be used to enable "Allow other plugins to overwrite these settings" and this could be presented in the UI as a warning along the lines of "Other plugins may be able to overwrite these settings. Unset AADSSO_HOOKS_ACTIVE to disable this behavior."

Keeping this toggle in database has no real security benefit, since--as @psignoret mentioned--any plugin can use get_option and update_option or even add_option.

bradkovach avatar Feb 27 '18 20:02 bradkovach

How's that? It's been re-written to just apply filters now, allowing another plugin to pull from environment variables. Let me know if you'd like any changes made.

peterjgordon avatar Jul 24 '18 13:07 peterjgordon

@psignoret, @bradkovach, would appreciate your input here. Is this ready for merge?

peterjgordon avatar Aug 17 '18 08:08 peterjgordon