Alternate method to route callback?

[danielmcquillen]

Thanks authors for this great library!

I'm experimenting with it to connect a WordPress site (client) with a Django-based site that serves as the OP.

However, after the Django site authenticates the user, it returns to the WP site where the page just has a "0" ... nothing more. The url is https://(my test WP site).org/wp-admin/admin-ajax.php?state=(some long string of numbers)&code=(some long string of numbers).

I do know the authentication went through ok, as if I go back to the Django site my user is logged in.

I checked the "Enabled logging" feature in the OpenID Connect Client admin page, but no log messages are showing under the "Log" header at the bottom of the page.

I'll keep digging but just wanted to see if anybody had thoughts on how to approach this particular issue?

[danielmcquillen]

It may be that my client is stripping the action=openid-connect-authorize GET variable from the response URI.

... if that's the case, is there a way to configure openid-connect-generic so that it uses a specific url rather than admin-ajax.php?action=openid-connect-authorize?

[daggerhart]

That sounds like it could be the problem. WP's ajax API returns 0 when it fails. I don't currently have a way to change the URL in the plugin, but that is a feature I could look at. Alternatively, is there a way to whitelist that query variable from your client?

I'll look at adding configuration for a custom URL.

[danielmcquillen]

Thanks @daggerhart. I'm looking into the other side of this now. I'm using an Open edX system as the OP. Open edX is built on Django, and they override a bunch of Django plugins that provide OAuth2 and then OpenID Connect features. I can see that it saves the callback URI correctly, so I think in the actual code that builds the response it's stripping out that first GET var. I don't see an obvious way to whitelist query vars, but I'll keep digging.

If you do create a custom URL that avoids the need to set a callback URI with that action get variable, that would be most awesome. I'm hoping that would be an easy way around the issue.

[danielmcquillen]

@daggerhart am I right in thinking that one approach would to use WP API to create a more conventional callback URL (with no 'action' GET variable) for the authorize callback? http://v2.wp-api.org/extending/adding/

[rwasef1830]

@danielmcquillen maybe possible to use mod_rewrite to make a special url without query string ? just throwing out ideas.

[daggerhart]

@danielmcquillen I've added an alternate redirect_uri to the dev branch. You'll need to enable it on the settings page, then flush the rewrite cache by saving the Permalinks settings page. Let me know if you have any issues.

[danielmcquillen]

Awesome @daggerhart ... we've pushed off the SSO thing but will probably circle back to it, and will try out the redirect_uri when we do! @rwasef1830 thanks for the suggestion but looks like this recent change will work for us.

[andreasnuesslein]

Just in case anybody else stumbled over this, hoping to get Django's django-oidc-provider working with this here project: in Django's Admin Name: example Client Type: confidential Response Type: code (Authorization Code Flow) Redirect URIs: https://examplewordpress.com/wp-admin/admin-ajax.php?action=openid-connect-authorize JWT Algorithm: HS256

Require: optional (your choice) Reuse: optional (your choice)

Client ID & Client SECRET, well obviously you wanna copy that to wordpress Scopes: email profile openid

Save.

Wordpress' OpenID-Connect-Generic: Client ID from Django, Secret Key from Django OpenID Scope: email profile openid Login Endpoint URL: https://mydjangoproject.com/openid/authorize Userinfo Endpoint URL: https://mydjangoproject.com/openid/userinfo Token Validation Endpoint URL: https://mydjangoproject.com/openid/token End Session Endpoint URL: https://mydjangoproject.com/openid/end-session

Identity Key: preferred_username

the rest is probably up to you :)