add a basic method to refresh user claim outside of this plugin

oidc-wp · Sep 9, 2021 · 1a5fa9b · 1a5fa9b
1 parent 63646ab
commit 1a5fa9b
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 0 deletions.
diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php
@@ -122,6 +122,9 @@ public static function register( OpenID_Connect_Generic_Client $client, OpenID_C
 			add_action( 'wp_loaded', array( $client_wrapper, 'ensure_tokens_still_fresh' ) );
 		}
 
+		// Add user claim refresh callable action.
+		add_action( 'openid-connect-generic-refresh-user-claim', array( $client_wrapper, 'refresh_user_claim' ), 10, 2 );
+
 		return $client_wrapper;
 	}
 
@@ -580,6 +583,65 @@ public function validate_user( $user ) {
 		return true;
 	}
 
+	/**
+	 * Refresh user claim.
+	 * Callable with do_action( 'openid-connect-generic-refresh-user-claim', $user, $token_response );
+	 *
+	 * @param WP_User $user             The user object.
+	 * @param array   $token_response   The token response.
+	 *
+	 * @return void
+	 */
+	public function refresh_user_claim( $user, $token_response ) {
+		$client = $this->client;
+
+		/**
+		 * The id_token is used to identify the authenticated user, e.g. for SSO.
+		 * The access_token must be used to prove access rights to protected
+		 * resources e.g. for the userinfo endpoint
+		 */
+		$id_token_claim = $client->get_id_token_claim( $token_response );
+
+		// Allow for other plugins to alter data before validation.
+		$id_token_claim = apply_filters( 'openid-connect-modify-id-token-claim-before-validation', $id_token_claim );
+
+		if ( is_wp_error( $id_token_claim ) ) {
+			return $id_token_claim;
+		}
+
+		// Validate our id_token has required values.
+		$valid = $client->validate_id_token_claim( $id_token_claim );
+
+		if ( is_wp_error( $valid ) ) {
+			return $valid;
+		}
+
+		// If userinfo endpoint is set, exchange the token_response for a user_claim.
+		if ( ! empty( $this->settings->endpoint_userinfo ) && isset( $token_response['access_token'] ) ) {
+			$user_claim = $client->get_user_claim( $token_response );
+		} else {
+			$user_claim = $id_token_claim;
+		}
+
+		if ( is_wp_error( $user_claim ) ) {
+			return $user_claim;
+		}
+
+		// Validate our user_claim has required values.
+		$valid = $client->validate_user_claim( $user_claim, $id_token_claim );
+
+		if ( is_wp_error( $valid ) ) {
+			$this->error_redirect( $valid );
+			return $valid;
+		}
+
+		// Store the tokens for future reference.
+		update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
+		update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
+
+		return $user_claim;
+	}
+
 	/**
 	 * Record user meta data, and provide an authorization cookie.
 	 *

diff --git a/openid-connect-generic.php b/openid-connect-generic.php
@@ -53,6 +53,9 @@
   - openid-connect-generic-state-not-found    - the given state does not exist in the database, regardless of its expiration.
   - openid-connect-generic-state-expired      - the given state exists, but expired before this login attempt.
 
+  Callable actions
+  - openid-connect-generic-refresh-user-claim - refresh user_claim, 2 args: WP_User, token response array
+
   User Meta
   - openid-connect-generic-subject-identity    - the identity of the user provided by the idp
   - openid-connect-generic-last-id-token-claim - the user's most recent id_token claim, decoded