Skip to content

OIDC Integration#180

Merged
figureone merged 9 commits into
uhm-coe:masterfrom
lineacreative:oidc-v3
Dec 2, 2025
Merged

OIDC Integration#180
figureone merged 9 commits into
uhm-coe:masterfrom
lineacreative:oidc-v3

Conversation

@lc-sam

@lc-sam lc-sam commented Nov 19, 2025

Copy link
Copy Markdown
Contributor

Hello,

My team uses this plugin for our University of California customers. One of the collages we work with is transitioning away from CAS and moving towards OIDC as their recommended SSO method. We're hoping to see an OIDC module within the Authorizer plugin in the future.

The OIDC library I picked for this integration was https://github.com/jumbojett/OpenID-Connect-PHP as it seems to be the most widely used library, most contributors, etc. Majority of the heavy lifting is off-loaded to the library. The rest of the code changes within the plugin attempt to mirror the existing oAuth2 module as closely as possible.

In the interest of transparency, I'll note the code was mostly written within Cursor (AI agent) as we're experimenting with different AI tools. The code was reviewed by two of our developers and Q/Aed by myself, however we're by no means SSO, OIDC, or security specialists.

I have tested core functionality of the OIDC module specific to our customer's IdP and it works as expected. I have not tested:

  • With multiple OIDC configurations or on WordPress Multisite
  • With other common IdPs like Okta, Azure, etc

Let me know if I can answer any questions. Our availability for adjustments varies dependent on client work volume, but if there are changes you'd like to see before considering this type of feature let me know.

Thanks!
-Sam

lc-sam and others added 7 commits November 18, 2025 16:58
- Integrated OpenID Connect (OIDC) authentication, allowing users to log in using OIDC providers.
- Added OIDC settings to the admin page, including issuer URL, client ID, client secret, and various attributes.
- Updated JavaScript to handle OIDC tab visibility and login button.
- Included necessary dependencies in composer.json and updated the lock file.
- Enhanced the authentication process to validate OIDC credentials and manage user data accordingly.
- Updated documentation and comments for clarity on new OIDC features.
- Added functionality to manage multiple OIDC servers
- Updated admin settings to include fields for custom labels, issuer URLs, client IDs, and other attributes for each OIDC server.
- Implemented missing auto-login options for OIDC, enabling immediate redirection to specified OIDC servers.
- Enhanced authentication logic to handle multiple OIDC server IDs and associated settings.
- Improved session management for OIDC login and logout processes.
… email optional when this option is enabled
@figureone

Copy link
Copy Markdown
Member

Awesome, thanks for the contribution! We'll review and let you know if we have any feedback.

I'd like to set up an OIDC server to test this functionality, but it might be easier to just get me a sample login on UC System if there's a process for that. We also might be able to just test using OIDC with Google Logins, I haven't tried that before.

@lc-sam

lc-sam commented Nov 20, 2025

Copy link
Copy Markdown
Contributor Author

Got it, I'll check with the UC IT folks. There's typically a good amount of hurdles in regard to creating an account, but I'll see if they're open to some type of restricted temporary login.

@figureone figureone merged commit 5f91f3b into uhm-coe:master Dec 2, 2025
@figureone

Copy link
Copy Markdown
Member

Hi guys, sorry I added my revision commits to master instead of this pull request so you might need to open a new PR for additional revisions.

This looks good, I only have one question about the OIDC logout implementation:
https://github.com/uhm-coe/authorizer/pull/180/files#diff-dd2ab07043772651047a0cad5cbcf086d77635d6d27f8b6982f354f704ecf045R2060-R2084
(That link may be confusing, since it's a large diff it's collapsed by default, so here is the same code block already merged into master: https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authentication.php#L2080-L2102)

PHP sessions by default only have a lifetime of 24 minutes so we may need to avoid relying on $_SESSION['oidc_id_token'] that was set during login because it may no longer be available. Perhaps switch to setting a usermeta value instead?

Let me know your thoughts

@ericstroo

Copy link
Copy Markdown
Contributor

@figureone Good notes; we captured back your changes and have made some revisions per the notes. I'll open up a new PR to incorporate those changes.

@lc-sam lc-sam mentioned this pull request Dec 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants