You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the openid-connect-generic-user meta flag is set to false when a user logs out (if link_existing_users is set), but this doesn't work correctly if a user has more than one login session, because then the other sessions will stop refreshing tokens and act like ordinary Wordpress sessions. (And thus will remain live with current permissions even if those permissions have been revoked at the IdP.)
Steps to reproduce:
Set up a site with Auto-SSO login mode and "link existing users"
Log into the site from two different browsers using OIDC, then explicitly log out of one.
Wait for the refresh token to expire, then access the site in the second browser. You should get a refresh error, but instead you get a plain WP session unconnected to OIDC.
The problem is that a user meta flag is global to the user, but what is really needed is to know whether the session is linked to an OIDC session, not the user as a whole.
For my own purposes, I'm working around this with a get_user_meta hook which checks that the session is actually OIDC-linked; it does this by adding data to the WP session token in the database (via the attach_session_information hook). This then results in the OIDC plugin seeing a fake openid-connect-generic-user value that reflects whether the session was started with OIDC, instead of a global flag whose value might be corrupt.
This workaround could be avoided, though, by having ensure_tokens_still_fresh() check for a flag in WP_Session_Tokens::get_instance($user_id)->get(wp_get_session_token()). The flag would be set by login_user(), either via an attach_session_information hook, or by directly creating the session token and passing it through to wp_set_auth_cookie().
The text was updated successfully, but these errors were encountered:
Currently, the
openid-connect-generic-user
meta flag is set to false when a user logs out (iflink_existing_users
is set), but this doesn't work correctly if a user has more than one login session, because then the other sessions will stop refreshing tokens and act like ordinary Wordpress sessions. (And thus will remain live with current permissions even if those permissions have been revoked at the IdP.)Steps to reproduce:
The problem is that a user meta flag is global to the user, but what is really needed is to know whether the session is linked to an OIDC session, not the user as a whole.
For my own purposes, I'm working around this with a
get_user_meta
hook which checks that the session is actually OIDC-linked; it does this by adding data to the WP session token in the database (via theattach_session_information
hook). This then results in the OIDC plugin seeing a fakeopenid-connect-generic-user
value that reflects whether the session was started with OIDC, instead of a global flag whose value might be corrupt.This workaround could be avoided, though, by having
ensure_tokens_still_fresh()
check for a flag inWP_Session_Tokens::get_instance($user_id)->get(wp_get_session_token())
. The flag would be set bylogin_user()
, either via anattach_session_information
hook, or by directly creating the session token and passing it through towp_set_auth_cookie()
.The text was updated successfully, but these errors were encountered: