Upgraded deployment using Authress managed UI.

Authress_Sso_Login.php

@@ -272,7 +272,7 @@ function authress_sso_login_init() {
 add_action( 'init', 'authress_sso_login_init');
 
 function check_for_user_logged_in() {
-	authress_debug_log('=> check_for_user_logged_in');
+	authress_debug_log('=> check_for_user_logged_in()');
 
 	if (!is_user_logged_in() && isset($_REQUEST['nonce'])) {
 		$users_repo    = new Authress_Sso_Login_UsersRepo( Authress_Sso_Login_Options::Instance() );

contributing.md

@@ -32,3 +32,15 @@ sudo apt install php-xmlwriter php-cli php-curl php-mbstring docker-compose-plug
 To test login, navigate to `http://localhost:8080/wp-login.php`
 * The default login credentials as `admin` - `admin`
 Likewise the admin menu is at: `http://localhost:8080/wp-admin.php`
+
+### WordPress related documented for custom integrations
+* [add_action / add_filter](https://developer.wordpress.org/apis/hooks/filter-reference/#redirect-rewrite-filters)
+
+### Files
+
+* /templates
+    * authress-login-form.php - UI mask for the login box
+* /lib
+    * Authress_Sso_Login_LoginManager.php - Logic for handling authentication
+* /wordpress
+    * Configuration files for the WordPress plugin on WordPress.org

functions.php

@@ -42,6 +42,10 @@ function authress_user_is_currently_on_login_action( array $actions ) {
 		return false;
 	}
 
+	if (isset( $_REQUEST['force'] ) && $_REQUEST['force']) {
+		return true;
+	}
+
 	// Null coalescing validates input variable.
 	return in_array( wp_unslash( $_REQUEST['action'] ?? '' ), $actions, true);
 }

lib/Authress_Sso_Login_Lock.php

@@ -23,7 +23,7 @@ public function __construct( $extended_settings = [], $opts = null ) {
 	 * @param array $specialSettings - Additional settings from widget or shortcode.
 	 */
 	public static function render( $canShowLegacyLogin = true, $specialSettings = [] ) {
-		if (is_user_logged_in() ) {
+		if (is_user_logged_in() && ! isset($_REQUEST['force'])) {
 			return;
 		}
 

lib/Authress_Sso_Login_LoginManager.php

@@ -62,6 +62,11 @@ public function login_auto() {
 			return false;
 		}
 
+		// Do not redirect anywhere if the force action is set
+		if ( authress_user_is_currently_on_login_action( [ 'force' ] ) ) {
+			return false;
+		}
+
 		// Do not redirect login page override.
 		if ( authress_show_user_wordpress_login_form() ) {
 			return false;
@@ -94,6 +99,7 @@ public function init_authress() {
 
 		// Not an Authress login process or settings are not configured to allow logins.
 		if ( ! authress_plugin_has_been_fully_configured() ) {
+			authress_debug_log('    Plugin has not been loaded yet.');
 			return false;
 		}
 
@@ -110,7 +116,7 @@ public function init_authress() {
 		}
 
 		// No need to process a login if the user is already logged in and there is no error.
-		if ( is_user_logged_in() ) {
+		if (is_user_logged_in()) {
 			authress_debug_log('    returning without further setup');
 			return true;
 		}
@@ -145,7 +151,7 @@ public function init_authress() {
 	 */
 	public function handle_login_redirect() {
 		setcookie('authress-authorization-step', 'parse');
-		authress_debug_log('=> handle_login_redirect');
+		authress_debug_log('=> handle_login_redirect()');
 		$access_token = sanitize_text_field(isset($_COOKIE['authorization']) ? wp_unslash($_COOKIE['authorization']) : '');
 		if (!isset($_COOKIE['authorization']) && isset($_REQUEST['access_token'])) {
 			$access_token = sanitize_text_field(wp_unslash($_REQUEST['access_token']));
@@ -234,10 +240,6 @@ public function login_user( $userinfo) {
 		} catch ( Authress_Sso_Login_CouldNotCreateUserException $e ) {
 
 			throw new Authress_Sso_Login_LoginFlowValidationException( $e->getMessage() );
-		} catch ( Authress_Sso_Login_RegistrationNotEnabledException $e ) {
-
-			$msg = __( 'Could not create user. The registration process is not available. Please contact your site’s administrator.', 'wp-authress' );
-			throw new Authress_Sso_Login_LoginFlowValidationException( $msg );
 		}
 		return is_user_logged_in();
 	}

lib/Authress_Sso_Login_Options.php

@@ -239,10 +239,6 @@ public function get_defaults( $keys_only = false ) {
 		return $keys_only ? array_keys( $default_opts ) : $default_opts;
 	}
 
-	public function is_wp_registration_enabled() {
-		return is_multisite() ? users_can_register_signup_filter() : get_site_option( 'users_can_register' );
-	}
-
 	public function get_default( $key ) {
 		$defaults = $this->defaults();
 		return $defaults[ $key ];
@@ -392,7 +388,7 @@ protected function defaults() {
             'skip_strategies'           => '',
             'remember_users_session'    => true,
             'default_login_redirection' => home_url(),
-			'auto_provisioning'         => false,
+			'auto_provisioning'         => true,
             'valid_proxy_ip'            => ''
 
 		];

lib/Authress_Sso_Login_UsersRepo.php

@@ -48,7 +48,6 @@ public function update( $ID, $userinfo ) {
 	 * @return int|null|WP_Error
 	 *
 	 * @throws Authress_Sso_Login_CouldNotCreateUserException - When the user could not be created.
-	 * @throws Authress_Sso_Login_RegistrationNotEnabledException - When registration is not turned on for this site.
 	 */
 	public function create( $userinfo ) {
 
@@ -71,7 +70,8 @@ public function create( $userinfo ) {
 			if ( ! empty( $current_authress_id ) && $authress_sub !== $current_authress_id ) {
 				throw new Authress_Sso_Login_CouldNotCreateUserException( __( 'There is a user with the same email.', 'wp-authress' ) );
 			}
-		} elseif ( $this->a0_options->is_wp_registration_enabled() || $this->a0_options->get( 'auto_provisioning' ) ) {
+		// } elseif ( ( is_multisite() ? users_can_register_signup_filter() : get_site_option( 'users_can_register' ) ) || $this->a0_options->get( 'auto_provisioning' ) ) {
+		} else {
 			// WP user does not exist and registration is allowed.
 			$user_id = Authress_Sso_Login_Users::create_user( $userinfo );
 
@@ -82,9 +82,6 @@ public function create( $userinfo ) {
 				// Registration failed for another reason.
 				throw new Authress_Sso_Login_CouldNotCreateUserException();
 			}
-		} else {
-			// Signup is not allowed.
-			throw new Authress_Sso_Login_RegistrationNotEnabledException();
 		}
 
 		$this->update_authress_object( $user_id, $userinfo );

templates/authress-login-form.php

@@ -2,53 +2,57 @@
 	$authress_options = Authress_Sso_Login_Options::Instance();
 	$wle = 'link';
 	$loginFlowIsPassword = isset($_REQUEST['login']);
+	$showWordPressLogin = (isset($_REQUEST['wle']) || $loginFlowIsPassword) && !isset($_REQUEST['action']);
 ?>
 
 <script type="text/javascript">
-	function loginWithSsoDomain(connectionId, elementId) {
-		if (window.location.search.includes('login')) {
-			return true;
+	function redirectToAuthressManagedLogin(navigateToAuthressLoginFromWordpress = false) {
+		const currentUrl = new URL(window.location.href);
+
+		// Use WordPress login
+		if (currentUrl.searchParams.get('action') || currentUrl.searchParams.get('login') && !navigateToAuthressLoginFromWordpress) {
+			console.log('Found action or login, skipping automatic login.')
+			return false;
 		}
 
-		var loginClickNextButton = document.getElementById(elementId);
-		loginClickNextButton.classList.toggle('loader');
+
+		const forceLogin = currentUrl.searchParams.get('force');
+
 		const authressLoginHostUrl = "<?php echo esc_attr($authress_options->get('customDomain')); ?>";
 		const applicationId = "<?php echo esc_attr($authress_options->get('applicationId')); ?>";
 		const loginClient = new authress.LoginClient({ authressLoginHostUrl, applicationId });
-		const currentUrl = new URL(window.location.href);
-		const redirectUrl = currentUrl.searchParams.get('redirect_to') ? decodeURIComponent(currentUrl.searchParams.get('redirect_to')) : window.location.origin;
-		const userEmailAddress = (document.getElementById('userLogin').value || '');
-		const ssoDomain = userEmailAddress.replace(/[^@]+@(.*)$/, '$1');
-		loginClient.authenticate({ tenantLookupIdentifier: !connectionId && ssoDomain, connectionId, redirectUrl })
+
+		// const redirectUrl = 'http://localhost:8081';
+		const redirectUrl = currentUrl.searchParams.get('redirect_to') ? decodeURIComponent(currentUrl.searchParams.get('redirect_to')) : window.location.href;
+		loginClient.authenticate({ redirectUrl, force: !!forceLogin })
 		.then(result => {
-			window.location.replace(redirectUrl);
+			window.location.assign(redirectUrl);
 		}).catch(async error => {
-			loginClickNextButton.classList.toggle('loader');
-			console.log('Failed to redirect user to SSO login:', error.code);
-			if (error.code !== 'InvalidConnection' && error.code !== 'InvalidTenantIdentifier') {
-				return;
-			}
-			if (!connectionId) {
-				window.location.assign(`<?php echo esc_url(wp_login_url()); ?>?login=${userEmailAddress}`);
-				return;
-			}
-
-			var connectionConfigurationWarning = document.getElementById('configurationConfigurationWarning');
-			if (connectionConfigurationWarning && connectionConfigurationWarning.classList.contains('hidden')) {
-				connectionConfigurationWarning.classList.toggle('hidden');
-			}
-
+			console.error('Failed to redirect user to managed login:', error.code);
 		});
 		return false;
 	}
 
+	function wordpressLogin() {
+		const currentUrl = new URL(window.location.href);
+
+		const userEmailAddress = (document.getElementById('userLogin').value || '');
+		if (currentUrl.searchParams.get('login')) {
+			return true;
+		}
+
+		window.location.assign(`<?php echo esc_url(wp_login_url()); ?>?login=${userEmailAddress}`);
+		return false;
+	}
+
 	function checkIfLoaded() {
 		var script = document.querySelector('#authress_sso_login_login_sdk-js');
 		if (!script || !authress) {
 			return;
 		}
 
 		clearInterval(checkHandler);
+
 		const authressLoginHostUrl = "<?php echo esc_attr($authress_options->get('customDomain')); ?>";
 		const applicationId = "<?php echo esc_attr($authress_options->get('applicationId')); ?>";
 		const loginClient = new authress.LoginClient({ authressLoginHostUrl, applicationId });
@@ -58,21 +62,25 @@ function checkIfLoaded() {
 		loginClient.userSessionExists().then(userIsLoggedIn => {
 			if (userIsLoggedIn) {
 				console.log('User is logged in.', redirectUrl);
-				window.location.replace(redirectUrl);
+				window.location.assign(redirectUrl);
+			}
+			if (!currentUrl.searchParams.get('wle') || currentUrl.searchParams.get('nonce')) {
+				redirectToAuthressManagedLogin();
+				return;
 			}
 		}).catch(error => {
 			console.error('Failed to check if user is logged in:', error);
 		});
 	};
-	var checkHandler = setInterval(checkIfLoaded, 100);
+	var checkHandler = setInterval(checkIfLoaded, 10);
 </script>
 
 <div>
-	<?php if (!isset($_REQUEST['action'])) : ?>
+	<?php if ($showWordPressLogin) : ?>
 		<div style="display: flex; flex-wrap: wrap; justify-content: center;">
-			<form name="loginform-custom" id="loginform-custom" action="<?php echo esc_url(wp_login_url()); ?>?<?php echo esc_attr($loginFlowIsPassword ? 'login=' : ''); ?>" method="post" onsubmit="return loginWithSsoDomain(null, 'loginClickNextButtonLoader')">
+			<form name="loginform-custom" id="loginform-custom" action="<?php echo esc_url(wp_login_url()); ?>?<?php echo esc_attr($loginFlowIsPassword ? 'login=' : ''); ?>" method="post" onsubmit="return wordpressLogin()">
 				<p class="login-username">
-					<label for="userLogin">Enter your username or email</label>
+					<label for="userLogin">Enter your username</label>
 					<input type="text" autocomplete="username" name="log" id="userLogin" class="input"
 						value="<?php echo isset($_GET['login']) ? esc_attr(sanitize_text_field(wp_unslash($_GET['login']))) : ''; ?>" size="20" />
 				</p>
@@ -96,33 +104,22 @@ function checkIfLoaded() {
 				</p>
 
 				<br>
-				<?php if ($loginFlowIsPassword) : ?>
-					<p id="nav" style="display: block">
-						<a href="?">← Login with identity provider</a>
-					</p>
-				<?php endif ?>
 			</form>
 			<form class="sign-in-button-panel-wrapper">
 				<div class="sign-in-button-panel">
-					<button class="sign-in-button google" onclick="return loginWithSsoDomain('google', 'googleButton')">
+					<button class="sign-in-button google" onclick="return redirectToAuthressManagedLogin(true)">
 					<div style="display: flex; align-items: center" id="googleButton">
-						<svg width="21" height="21" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 48 48"><defs><path id="a" d="M44.5 20H24v8.5h11.8C34.7 33.9 30.1 37 24 37c-7.2 0-13-5.8-13-13s5.8-13 13-13c3.1 0 5.9 1.1 8.1 2.9l6.4-6.4C34.6 4.1 29.6 2 24 2 11.8 2 2 11.8 2 24s9.8 22 22 22c11 0 21-8 21-22 0-1.3-.2-2.7-.5-4z"/></defs><clipPath id="b"><use xlink:href="#a" overflow="visible"/></clipPath><path clip-path="url(#b)" fill="#FBBC05" d="M0 37V11l17 13z"/><path clip-path="url(#b)" fill="#EA4335" d="M0 11l17 13 7-6.1L48 14V0H0z"/><path clip-path="url(#b)" fill="#34A853" d="M0 37l30-23 7.9 1L48 0v48H0z"/><path clip-path="url(#b)" fill="#4285F4" d="M48 48L17 24l-4-3 35-10z"/></svg>
-						<span style="padding-left: 0.5rem">Continue with Google</span>
-						</div>
-					</button>
-
-					<button class="sign-in-button github" onclick="return loginWithSsoDomain('github', 'githubButton')">
-						<div style="display: flex; align-items: center" id="githubButton">
-							<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/></svg>
-							<span style="padding-left: 0.5rem">Continue with GitHub</span>
+						<svg width="24px" height="24px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+							<path d="M8 16C8 18.8284 8 20.2426 8.87868 21.1213C9.51998 21.7626 10.4466 21.9359 12 21.9827M8 8C8 5.17157 8 3.75736 8.87868 2.87868C9.75736 2 11.1716 2 14 2H15C17.8284 2 19.2426 2 20.1213 2.87868C21 3.75736 21 5.17157 21 8V10V14V16C21 18.8284 21 20.2426 20.1213 21.1213C19.3529 21.8897 18.175 21.9862 16 21.9983" stroke="#1C274C" stroke-width="1.5" stroke-linecap="round"/>
+							<path d="M3 9.5V14.5C3 16.857 3 18.0355 3.73223 18.7678C4.46447 19.5 5.64298 19.5 8 19.5M3.73223 5.23223C4.46447 4.5 5.64298 4.5 8 4.5" stroke="#1C274C" stroke-width="1.5" stroke-linecap="round"/>
+							<path d="M6 12L15 12M15 12L12.5 14.5M15 12L12.5 9.5" stroke="#1C274C" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+						</svg>
+						<span style="padding-left: 0.5rem">Log in with SSO</span>
 						</div>
 					</button>
 				</div>
 			</form>
 		</div>
-		<div id="configurationConfigurationWarning" class="message hidden">
-			This connection is not yet configured. Navigate to <a href="https://authress.io/app/#/setup?focus=connections" target="_blank">Authress management portal</a> to enable it.
-		</div>
 	<?php else : ?>
 		<div></div>
 	<?php endif; ?>