Adding refresh token support; adjusting default scope #456
Conversation
There was a problem hiding this comment.
- Keeping in mind that refresh tokens can't be revoked, how safe is this storage?
- I find sort of confusing the
auth0_auth_token_scopename, but I guess it can't be changed now? Can you please share a small snippet on how would a user pass this customized value?
| @@ -232,9 +232,13 @@ public function redirect_login() { | |||
| throw new WP_Auth0_LoginFlowValidationException( $e_message, $e_code ); | |||
| } | |||
|
|
|||
| $access_token = $data->access_token; | |||
| $id_token = $data->id_token; | |||
There was a problem hiding this comment.
how can you be so sure that the id_token is present?? you might want to null check like you do for refresh tokens.
There was a problem hiding this comment.
Why wouldn't it be? If I'm requesting it then it should be there if the access token is there, right? Is there a case where I would request both and the id_token is missing?
There was a problem hiding this comment.
only if the response_type includes id_token (i.e. token id_token) the id_token should be present. At least that's how it's supposed to work :D
There was a problem hiding this comment.
Well, this being more of an app than an SDK, that's something the plugin controls and doesn't change. Both flows currently get an id_token and have no reason to change.
There was a problem hiding this comment.
Reading this again after yesterday's discussion, this method handles code exchange redirection so here we have access_token and id_token. No need to null-check them 👍
There was a problem hiding this comment.
I confirmed that OIDC and non-OIDC applications both prove access_token and id_token with response_type=code
| $access_token = $data->access_token; | ||
| $id_token = $data->id_token; | ||
| $refresh_token = isset( $data->refresh_token ) ? $data->refresh_token : null; | ||
|
|
||
| // Decode the incoming ID token for the Auth0 user. | ||
| $decoded_token = JWT::decode( |
There was a problem hiding this comment.
does this work / would it make sense for this to be called if the token is missing?
There was a problem hiding this comment.
My point as well ... we need it for this. I guess we could check for both but seems duplicative.
There was a problem hiding this comment.
What do you mean by both? decode function is only using id_token. And btw access_token is always present.
There was a problem hiding this comment.
Sorry ... both access_token and id_token. They're both returned at the same time so if we have an access_token, we also have an id_token.
| * | ||
| * @return bool | ||
| * | ||
| * @throws WP_Auth0_LoginFlowValidationException - OAuth login flow errors. | ||
| * @throws WP_Auth0_BeforeLoginException - Errors encountered during the auth0_before_login action. | ||
| */ | ||
| public function login_user( $userinfo, $id_token, $access_token ) { | ||
| public function login_user( $userinfo, $id_token = null, $access_token = null, $refresh_token = null ) { |
There was a problem hiding this comment.
Since you're not using the values but passing them to the do_login function, shouldn't these defaults go in that function?
There was a problem hiding this comment.
This is the public method, do_login is private. We don't need to call login_user with values here so I don't want to require them.
lib/WP_Auth0_LoginManager.php
Outdated
| * @param string $id_token - user's ID token returned from Auth0. | ||
| * @param string $access_token - user's access token returned from Auth0; not provided when using implicit_login(). | ||
| * @param null|string $id_token - user's ID token returned from Auth0. | ||
| * @param null|string $access_token - user's access token returned from Auth0; not provided when using implicit. |
There was a problem hiding this comment.
not provided when using implicit.
how not?
There was a problem hiding this comment.
We don't request one and don't need one. We're not pinging back to Auth0 in this case, which is the purpose of implicit, the WP server cannot connect to auth0.com for whatever reason.
There was a problem hiding this comment.
I get it that implicit doesn't receive an access_token since you're not requesting it. Fine. But This method doesn't know if the user called implicit flow or code flow. So, the description of the method should just say that null values are accepted for access_token and refresh_token, just that. And if you want, in the method that handles the implicit result parsing you can add in the docblock that you'll never receive an access_token or refresh_token there.
There is no storage here, just the ability to request and the ability to process.
It can, it was introduced for this release ... I'm open to suggestions.
This will be added to the plugin extension docs after release but, in short: function auth0_theme_hook_auth0_auth_token_scope( $scope ) {
$scope[] = 'offline_access';
return $scope;
}
add_filter( 'auth0_auth_token_scope', 'auth0_theme_hook_auth0_auth_token_scope' );☝️ that's how one would add the function auth0_theme_hook_auth0_user_login( $user_id, $userinfo, $is_new, $id_token, $access_token, $refresh_token ) {
echo $refresh_token ? $refresh_token : 'not provided';
die();
}
add_action( 'auth0_user_login', 'auth0_theme_hook_auth0_user_login', 10, 6 );☝️ that's how you would do something with the refresh token. That action runs right after a user is authenticated in WP. |
lib/WP_Auth0_LoginManager.php
Outdated
| @@ -333,7 +337,7 @@ public function implicit_login() { | |||
| // Populate legacy userinfo property. | |||
| $decoded_token->user_id = $decoded_token->sub; | |||
|
|
|||
| if ( $this->login_user( $decoded_token, $token, null ) ) { | |||
| if ( $this->login_user( $decoded_token, $token ) ) { | |||
There was a problem hiding this comment.
Can the $_POST['token'] "token" param be renamed before next release? And please rename $token to $id_token or similar, it's easier to follow up which token is it.
There was a problem hiding this comment.
The key in $_POST cannot, unfortunately. That's the name it's had for a while so changing would be breaking. Just changed the internal var name, good call.
| * | ||
| * @throws WP_Auth0_BeforeLoginException - Errors encountered during the auth0_before_login action. | ||
| */ | ||
| private function do_login( $user, $userinfo, $is_new, $id_token, $access_token ) { | ||
| private function do_login( $user, $userinfo, $is_new, $id_token, $access_token, $refresh_token ) { |
There was a problem hiding this comment.
what's the difference between login_user and do_login methods? can these methods be renamed?
There was a problem hiding this comment.
login_user is called after auth is successful so it decides if someone can login or if we need to make an account. do_login is called if login_user is successful, handles core WP login and hooks.
There was a problem hiding this comment.
can these get renamed to something more clear?
i.e.:
login_user is processing an authentication and deciding what to do next. Shouldn't that be something like process_successful_auth?
and do_login well, it's more straight forward. But it could be do_wp_login
lib/WP_Auth0_LoginManager.php
Outdated
| @@ -462,10 +467,11 @@ public function login_user( $userinfo, $id_token, $access_token ) { | |||
| * @param bool $is_new - `true` if the user was created in the WordPress database, `false` if not. | |||
| * @param string $id_token - user's ID token returned from Auth0. | |||
| * @param string $access_token - user's access token returned from Auth0; not provided when using implicit_login(). | |||
|
About |
joshcanhelp
force-pushed
the
add-refresh-token-support
branch
from
3716c59
to
d99db35
Compare
Adds refresh token support. Developers would add an
offline_accesskey via theauth0_auth_token_scopefilter, then store that token in theauth0_user_loginaction.Also adds a
profilescope to address some missing data in implicit and the /userinfo fallback. Since this PR is addressing scope and I found it while testing this, I added it here even though it's not directly related.Closes #296