Fix SLO callback URL #479
Fix SLO callback URL #479
Conversation
| @@ -6,7 +6,7 @@ | |||
|
|
|||
| $logout_url = wp_logout_url(); | |||
| $logout_url = html_entity_decode( $logout_url ); | |||
| $logout_url = add_query_arg( 'redirect_to', get_permalink(), $logout_url ); | |||
| $logout_url = add_query_arg( 'redirect_to', ( get_the_ID() ? get_permalink() : wp_login_url() ), $logout_url ); | |||
There was a problem hiding this comment.
please explain the logic behind this line
There was a problem hiding this comment.
get_the_ID() checks if we're on a page/post, which means get_permalink() will return something useful. If not, we send them to the login page where Lock will appear.
| @@ -23,7 +23,10 @@ | |||
| domain:'<?php echo sanitize_text_field( $this->a0_options->get( 'domain' ) ); ?>' | |||
| }); | |||
|
|
|||
| var sloOptions = { 'responseType' : 'token id_token', 'redirectUri' : '<?php echo home_url() ?>' }; | |||
There was a problem hiding this comment.
can this be considered a breaking change?
There was a problem hiding this comment.
No. checkSession just needs a valid callback, it doesn't actually send the browser there.
|
@lbalmaceda - |
|
Alright. I'm not so convinced though. Like I said, this looks like something we should "help fix" from the documentation side. A good doc on "how to achieve SLO" would mention this url needs to be set as a requirement, here and whitelisted in the tenant. That's what most of the SDKs do AFAIK. But again, I'm not going to block you for this. Your call :) |
Reported here - https://wordpress.org/support/topic/sso-logout-issues/
SLO is using
home_url(), which some sites don't have in the "Allowed Callback URLs" field for the Application. Changed to the main Auth0 callback URL which is always there. Callback is not used as a redirect so does not need to change for Implicit, just needs to be valid.Also adds SLO check to the admin + login pages and changes the redirect URL used after logout to point to an external page if there is one or the wp-login.php page.