/login URL alias endless authentication loop

[nobleclem]

If you use this alias with this plugin you will end up in an endless authentication loop WP Login -> OIDC -> WP Login -> OIDC ....

The issue starts in wp-includes/canonical.php FUNCTION wp_redirect_admin_locations() which handles the /login -> /wp-login.php redirect. This function calls wp_login_url() which in turn calls UMich_OIDC_Login\Core\OIDC::login_url. At this point things start to go wrong as UMich_OIDC_Login\Core\OIDC::get_current_url looks at the REQUEST_URI which is that of /login and not the passed /wp-login.php

Not knowing the reasons for everything the only solution I can think of that works is: in: UMich_OIDC_Login\Core\OIDC::login_url

• change the two calls $this->get_oidc_url( 'login', '' ) to $this->get_oidc_url( 'login', ($redirect ?: $login_url) )
• remove the if(){} in the 'optional' case (this is where I have less confidence as I don't understand its purpose as it seems to work fine in my use case without it)

Alternatively you would need to check for REQUEST_URI being equal to either of these and using / instead

• home_url( 'login', 'relative' )
• site_url( 'login', 'relative' ) Maybe adding the following to UMich_OIDC_Login\Core\OIDC::get_current_url after $request_uri = $_SERVER['REQUEST_URI'];

  if( in_array( $request_uri, array( home_url( 'login', 'relative' ), site_url( 'login', 'relative' ) ) ) ) {
  $request_uri = '/';
  }

  This however will still require the 'optional' case in UMich_OIDC_Login\Core\OIDC::login_url to have the if(){} code removed as it still causes a problem.

Let me know if you have any questions.

[markmont]

Thanks for reporting this. I'll look at it over the next few days and will keep you updated regarding a fix. I hope to have a fix for this in a beta release of 1.2.0 next week with a general release around the time WordPress 6.3 is available (currently around August 8).

[markmont]

I apologize for letting this sit for so long! A fix (bdc8d2f) for this problem is now available in a beta release, version 1.2.0-beta1. To test this beta release, you will need to download the .zip file and use its contents to manually replace the wp-content/plugins/umich-oidc-login folder in your installation of WordPress. If all goes well, I plan on releasing version 1.2.0 via the WordPress plugin directory in mid-September.

Please let me know if you discover any problems in the beta release.

[markmont]

Version 1.2.0, which contains the fix for this issue, has been released and published in the WordPress plugin directory.