SSO between WP and non-WP site

Hi,

Thanks for reaching out! Your question does make sense and I would be happy to answer to the best of my ability.

You are on the right track and I believe that you are farther than you might think you are. Accomplishing what you mentioned is going to be as easy as completing the SSO flow on the client end. You mentioned that you have a client site connected and making authorized calls to the REST API as expected.

The last part of the puzzle that I think you are needing is creating/logging in the user on your client site. People tend to think that the process of SSO is done automatically but the client will need to continue the process once authorized.

You already are getting an access token for a user correct? The next steps are as follows:

– Query the /oauth/me endpoint with the access token and get the user information.
– Use the user information to determine if the user exists in the client site.
– If yes, log the user in. If the user does not, create the user and log the user in.

The above will complete the SSO flow and give allow your users to login only using one login to be signed into two places.

Just a side note. It is the clients responsibility to manage the user session by using the access token as a means to determine if the user should be logged in or not. A simple look at this idea is that is the token is expired, the user is logged out. If the token is valid, the user should remain logged in.

Hope this helps.

Thank you for the prompt reply.

Yes, I totally understand your approach but I think I’m missing 2 points:
1. I can do a /oauth/me just fine and get several users field but not the password
2. I looked but did not find a /login restApi endpoint, do I need to create this or did I miss something

I think that with the above I could just add the login call right after successful /oauth/token call. I could figure out the login endpoint but not sure about the password though unless I create a separate login page/form and save it. what would you do?

Good questions.

So in the SSO world of OAuth, you are not always presented with a password. This is inherently bad for security but in the WP case, the password is hashed and is no good anyways. When a user is registered with SSO, a random password is created. Since the SSO process is considered secure, the user can be programmatically logged in without a password.

There is no log in endpoint. When the user is redirected to the WordPress site to get an access token, they are authorizing. When you get an access token back, you should consider the user logged in.

To put this in perspective. When you use FB to sign into a app or site, your password is not shared and the client generates a random password. The password in the SSO process is never used to create the account.

This can be a bit confusing at first so let me know if I can explain it better or in a different way.

OK, I need to do some testing then to actually see what’s going on.
I will report back soon.

Thank you very much.

You’re very welcome! I will keep an eye out.

not sure if I should start another thread or if its more valuable to keep it here.

anyway, my oauth2 based sso seems to work. users that authenticate via oauth2 are also logged into WP in the background and if they bring up a WP page then it shows the admin bar ok.

The question now is how can I create a single logout? I tried your logout snippet code on github but it doesn’t work and I guess I can see why as the redirect never really can take place since i’m in a different browser tab on a different domain.
I think I’m missing something still. Any idea?

Thanks Frank.

In Frank,

Signing out of of multiple systems is relative to each client and server. The scenarios are endless if the different setups and leave not room for a set standard. What OpenID Connect has added to the OAuth 2.0 is the https://openid.net/specs/openid-connect-session-1_0.html#toc spec.

We have added this to WP OAuth Server and allows you to destroy an access token and subsequently log a user out as well as long as the redirect is in the browser that was used to log in.

The endpoint for this is not available for the free version and is pro only.

The endpoint for the OpenID Connect destroy method is:

/oauth/destroy?access_token=xxx

Hey Justin,

I think I didn’t explain myself very well although your reply answers my subsequent questions.

the problem i see is this:

user logs in via sso/oauth2, I get token and save in session and also user is signed on wordpress. I have a logout page that clears token from session and also calls wp_logout() via new registered route but this logout doesn’t seem to work.

next user logs in using same browser via sso/oauth2, plugin seems smart enough to know wordpress session is ongoing and uses same user id but new token.

I need to force new user to login with his credentials but can’t seem to figure out how to do this as the wp_logout() end point doesn’t seem to work.

I am not using nor plan to use OpenId.

I hope this is better explanation. I am sorry for taking up so much of your time.

Frank.

ok Justin,
we just purchased a business license, I’m hoping the /oauth/destroy will do what I need.

thank you.