timnolte
commented
2 years ago I'm not sure the multisite has been sufficiently tested. I'll have to look at setting up a couple of multisite instances using subdirectory & subdomain and do some testing.
Open Leaveyoo opened 2 years ago
timnolte
commented
2 years ago I'm not sure the multisite has been sufficiently tested. I'll have to look at setting up a couple of multisite instances using subdirectory & subdomain and do some testing.
nranderson
commented
2 years ago I too am having issues with WP Multi-site installations. Ours sub-sites are at separate subdomains rather than different /paths. The plugin works for the root site but for any sub-sites at one of the sub-domains we get "invalid-user-claim" as the error. Our settings are identical on the sub-sites as they are on the root site. I'm going to fork and see if I can fix this and then submit a PR.
frietboer
commented
1 year ago We have a mix of subsites and sites with external domains on our multisite installation. Our solution to this problem is that login page of the subsites get redirected to the main site (with a "?redirect_to=" addition). So you only need a single redirect_uri for the connection with the IDP. The external domains are not redirected, but do have to be manually added to the redirect_uri list on our IDP. We have not found a way past this.
MatzeKitt
commented
1 year ago @frietboer May I kindly ask you how you did it? I currently have the same problem and like your solution. So basically I use this method in the init hook, which redirects me to the login page of the primary site with a proper redirect_to:
public function redirect_to_primary_login_page(): void {
global $pagenow;
if ( $pagenow !== 'wp-login.php' ) {
return;
}
if ( isset( $_GET['action'] ) && \sanitize_text_field( \wp_unslash( $_GET['action'] ) ) === 'logout' ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
return;
}
// do nothing for main site ID
if ( \get_current_blog_id() === \get_main_site_id() ) {
return;
}
$redirect_to = \filter_input( \INPUT_GET, 'redirect_to', \FILTER_SANITIZE_URL );
if ( ! $redirect_to ) {
$redirect_to = \admin_url();
}
\switch_to_blog( \get_main_site_id() );
\wp_safe_redirect( \wp_login_url( $redirect_to ) );
\restore_current_blog();
exit;
}However, since the the redirect URI of the plugin stays the same, which means domain.tld/wp-admin/admin-ajax.php?action?openid-connect-authorize, the login redirects to this page, which is then redirected to domain.tld instead of the redirect_to I’ve added to the login URL.
Did I miss something here? (The login mechanism itself does work, though!)
MatzeKitt
commented
1 year ago I just stored the redirect to in a cookie now and redirect it after the login if it’s set.
frietboer
commented
1 year ago I had to add the mapped sites to a whitelist to get this working:
// Filter to add all subdomains to wp_safe_redirect whitelist, if single site ignore... add_filter( "allowed_redirect_hosts", "uu_whitelist_all_subdomains" );
function uu_whitelist_all_subdomains( $hosts ) {
if(is_multisite()) {
$sites = get_sites( array("number" => 5000 ) );
$domains = array();
foreach ( $sites as $site ) {
$domains[] = $site->domain;
}
return array_merge( $hosts, $domains );
} else {
return $hosts;
}}
maybe this was the issue?
(sorry the code function is not working properly on my browser...?)
MatzeKitt
commented
1 year ago Thank you, I will take a look into it. For my cookie method I also added the hosts accordingly since I wanted to use wp_safe_redirect here.
Hi folks,
We're seeing an issue where, with multisite enabled, the authentication for each subsite is delegated to the plug-in configuration at the subsite level (which is empty) instead of the main site (where the OIDC plug-in is configured). In essence:
Is there some glaring configuration we're missing or is this scenario simply not supported?
Many thanks, Liviu