From 404c3cd5b05654c2f90837c947cccf7b5bd6b9dd Mon Sep 17 00:00:00 2001 From: Philippe Signoret Date: Fri, 6 Apr 2018 21:17:51 +0200 Subject: [PATCH] Add option to do full logout Adds a new option to perform a full logout of Azure AD when logging out of WordPress. Fixes #163 and fixes #184. --- Settings.php | 7 +++++++ SettingsPage.php | 20 ++++++++++++++++++++ aad-sso-wordpress.php | 23 +++++++++++++++++++++-- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/Settings.php b/Settings.php index 5f39cf3..55ef268 100644 --- a/Settings.php +++ b/Settings.php @@ -104,6 +104,13 @@ class AADSSO_Settings { */ public $default_wp_role = null; + /** + * Indicates whether a logout of WordPress should also trigger a logout of Azure AD. + * + * @var boolean Whether or not logging out of WordPress triggers logging out of Azure AD. + */ + public $enable_full_logout = false; + /** * @var string The OpenID Connect configuration discovery endpoint. */ diff --git a/SettingsPage.php b/SettingsPage.php index 328b67a..802e515 100644 --- a/SettingsPage.php +++ b/SettingsPage.php @@ -248,6 +248,14 @@ public function register_settings() { 'aadsso_settings_page', // page 'aadsso_settings_general' // section ); + + add_settings_field( + 'enable_full_logout', // id + __( 'Enable full logout', 'aad-sso-wordpress' ), // title + array( $this, 'enable_full_logout_callback' ), // callback + 'aadsso_settings_page', // page + 'aadsso_settings_general' // section + ); add_settings_field( 'field_to_match_to_upn', // id @@ -374,6 +382,7 @@ public function sanitize_settings( $input ) { 'enable_auto_forward_to_aad', 'enable_aad_group_to_wp_role', 'match_on_upn_alias', + 'enable_full_logout', ); foreach ( $boolean_settings as $boolean_setting ) { @@ -646,6 +655,17 @@ public function openid_configuration_endpoint_callback() { ); } + /** + * Renders the `enable_full_logout` checkbox control. + */ + public function enable_full_logout_callback() { + $this->render_checkbox_field( + 'enable_full_logout', + __( 'Do a full logout of Azure AD when logging out of WordPress.', + 'aad-sso-wordpress' ) + ); + } + /** * Renders a simple text field and populates it with the setting value. * diff --git a/aad-sso-wordpress.php b/aad-sso-wordpress.php index e54fd54..c57daed 100644 --- a/aad-sso-wordpress.php +++ b/aad-sso-wordpress.php @@ -5,7 +5,7 @@ Plugin URI: http://github.com/psignoret/aad-sso-wordpress Description: Allows you to use your organization's Azure Active Directory user accounts to log in to WordPress. If your organization is using Office 365, your user accounts are already in Azure Active Directory. This plugin uses OAuth 2.0 to authenticate users, and the Azure Active Directory Graph to get group membership and other details. Author: Philippe Signoret -Version: 0.6.3 +Version: 0.6.4 Author URI: https://www.psignoret.com/ Text Domain: aad-sso-wordpress Domain Path: /languages/ @@ -83,7 +83,7 @@ public function __construct( $settings ) { add_action( 'login_form', array( $this, 'print_login_link' ) ) ; // Clear session variables when logging out - add_action( 'wp_logout', array( $this, 'clear_session' ) ); + add_action( 'wp_logout', array( $this, 'logout' ) ); // If configured, bypass the login form and redirect straight to AAD add_action( 'login_init', array( $this, 'save_redirect_and_maybe_bypass_login' ), 20 ); @@ -348,6 +348,10 @@ function authenticate( $user, $username, $password ) { ); } + if ( is_a( $user, 'WP_User' ) ) { + $_SESSION['aadsso_signed_in_with_azuread'] = true; + } + return $user; } @@ -563,6 +567,21 @@ function clear_session() { session_destroy(); } + /** + * Clears the current the session, and triggers a full Azure AD logout if needed. + */ + function logout() { + + $signed_in_with_azuread = isset( $_SESSION['aadsso_signed_in_with_azuread'] ) + && true === $_SESSION['aadsso_signed_in_with_azuread']; + $this->clear_session(); + + if ( $signed_in_with_azuread && $this->settings->enable_full_logout ) { + wp_redirect( $this->get_logout_url() ); + die(); + } + } + /*** Settings ***/ /**