Lost 'code' during token request in OpenID Connect

[lokzzor]

Describe the bug After authentication through the OIDC provider, when requesting a token, the code is lost.

To Reproduce Steps to reproduce the behavior:

1. Install and activate the OpenID Connect - Generic Client plugin.
2. Fill in the fields: Client ID, Client Secret Key, OpenID Scope, Login Endpoint URL, Userinfo Endpoint URL, Token Validation Endpoint URL.
3. Enable logging.
4. Enable Alternate Redirect URI without updating permalinks.
5. Attempt to authenticate and observe the response.

Screenshots Not applicable.

Expected behavior The code should be correctly received and used to request the token.

Isolating the problem (mark completed items with an [x]):

• [x] I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
• [x] This bug happens with a default WordPress theme active.
• [x] I can reproduce this bug consistently using the steps above.

WordPress Environment

• PHP Version: 8
• WordPress Version: 6.5.4
• Plugin Version: 3.10.0
• Relevant Plugin Settings: Enabled logging, Alternate Redirect URI

Additional Logs

Here are the relevant logs: Date: 2024-06-11 12:51:06 Type: make_authentication_url User: 0 URI: /wp-login.php?login-error=invalid-token-response&message=Invalid+token+response Response Time (sec): string(205) "https:/hide/cgi-bin/authorize?response_type=code&scope=email%20userinfo&client_id=hide&state=hide&redirect_uri=http%3A%2F%2Fhide%2Fopenid-connect-authorize" Date: 2024-06-11 12:51:06 Type: invalid-token-response URI: /openid-connect-authorize?code=&state=hide Response Time (sec): string(22) "Invalid token response" Date: 2024-06-11 12:51:06 Type: request_authentication_token URI: /openid-connect-authorize?code=&state=hide Response Time (sec): string(35) "https://hide/cgi-bin/token" Type: make_authentication_url string(205) "https://hide/cgi-bin/authorize?response_type=code&scope=email%20userinfo&client_id=hide&state=hide&redirect_uri=hide%2Fopenid-connect-authorize" P.s I enabled the Alternate Redirect URI without updating the permalinks, which redirected to a non-existent page with /openid-connect-authorize?code=*&state=**. At this point, I realized that the code is being sent to the application.

[timnolte]

@lokzzor if you didn't update the permalink permalinks and actually saw it working then what is it that makes you think that it isn't working?

I will do some checks in our testing environment with some of our IDPs. Also, which IDP are you using?

[lokzzor]

IDP - OAuth I didn't express myself clearly. I need to understand whether the code was returned to the site after authentication. I updated the permalinks according to the instructions (although I didn't notice this requirement immediately). Currently, the permalink structure is set to 'Post name'. I just need to figure out what the problem is, as I don't have the opportunity to ask questions to the IDP, which uses OAuth. I need to determine whether the issue is on the plugin side or the IDP side.

[lokzzor]

Isn't this normal behavior?

[timnolte]

I need to double check the logging settings as it's possible that:

1. The logging is intentionally removing the code value. (Which I should really just obfuscate it.) I just updated the logging code recently to track processing time
2. During the recent logging code change there was a bug that isn't outputting the code, or even an obfuscate it.
3. The code isn't being returned from your IDP.

You mention that your IDP is using OAuth, are you certain your IDP actually supports OpenID Connect? This plugin is not just an OAuth plugin and a provider that supports/uses OAuth doesn't mean they actually support OpenID Connect. Can you confirm what IDP you are using? If the IDP is something not a large platform like Google/Microsoft/AWS then it is also possible that your IDP is not properly implementing OpenID Connect or the Authorization Code Flow.