Jump to content

Configuring Logout when using miniOrange OAuth / OpenID Connect Server on Wordpress


Recommended Posts

We've implemented SSO using the Wordpress plugin from miniOrange.

 https://invisioncommunity.com/4guides/members-and-groups/social-sign-in/wordpress-r304/ 

We've managed to get it working effectively, except for a glitch when logging out.

You can see from the attached screenshot that users are being directed to a Logout URL, but then seem to be being logged back in and directed to where they came from. To the user, it just seems as if they cannot log out.

We spoke to the MiniOrange support, who came back with the following:

"Can you please confirm whether the OIDC single logout URL has been properly set up in the Invision Community app?  Additionally, I wanted to bring your attention to the option of adding the "post_logout_redirect_uri" parameter, which allows for the redirection of users after logout. The OIDC logout URL should be in the format:
https://your_site_name.com/wp-json/moserver/logout?post_logout_redirect_uri=https://enter_url_where_you_want_users_to_redirect_after_logout
Could you please verify whether the OIDC single logout URL has been configured correctly in the Invision Community App? If it is not yet set up, I kindly request that you update it."

 
We were unable to see an OIDC single logout URL field anywhere in the admin. After going back to miniOrange support, today they suggested contacting Invision Support for assistance. Please could you shed some light on this.
 

Could contain: Page, Text, Chart, Plot, File

Could contain: Page, Text, Chart, Plot, File

Edited by Michael Collins
Link to comment
Share on other sites

We would need to look further into this for you, however the access details on file appear to be incorrect or missing. Could you please update these details by visiting your client area, selecting the relevant purchase, then clicking "Review/Update Access Information" under the "Stored Access Information" section. 

We look forward to further assisting you. 

 

Link to comment
Share on other sites

Thanks Marc.

We have this installed on our dev environment only at the moment - which is on a separate server. I've updated the access details to reflect that - including SFTP and Admin CP.

Please let me know if there is anything else you need from me.

Thanks once again.

Link to comment
Share on other sites

HI Marc. This doesn't really add up. The issue isn't that there is no single logout - it's that if you try to logout of the forum, it appears that Wordpress then logs you in again - all without any user interaction. See the above screen shot of 301/203 redirects.

As miniOrange support have referred us to you, can you give us something with which to go back to miniOrange support, please?

Aside from the logout issue - we have this working to our satisfaction. We just need to get this resolved.

Edited by Michael Collins
Link to comment
Share on other sites

HI @Marc Stridgen

We've just had a support call with MiniOrange and demonstrated the issue. From their POV, the plugin is working as intended.

Is there a way to add a custom logout url redirect endpoint for the OAuth client in Invision?

Because what is currently happening is that Invision is logging the user out, then redirecting to Wordpress, where a valid WP session is detected and the OAuth Server is then logging the user back into Invision.

If we could have a custom endpoint after the Invision logout, we could then ensure that the user is logged out of Wordpress as well - and our problem would be solved.

I'm about to go into two consecutive meetings, but I will add a video later today to demonstrate what is happening - to illustrate the above request.

Edited by Michael Collins
Link to comment
Share on other sites

@Michael Collins

It's just an idea, have not tested it yet, but if you create a .htaccess redirect rule for

https://test.com/forum/logout/  to  /logout.php

and the php script has something like

<?php
// Set the expiration time in the past to delete the cookie
$expiration = time() - 3600; // Set it to an hour ago

// Retrieve all cookies for the domain
$cookies = $_COOKIE;

// Loop through each cookie and delete it
foreach ($cookies as $cookie_name => $cookie_value) {
    // Set the cookie with an expiration time in the past
    setcookie($cookie_name, '', $expiration, '/', 'test.com');
    // Also unset the cookie from the $_COOKIE array
    unset($_COOKIE[$cookie_name]);
}
?> 

technically it would log the user out of wordpress AND invision forum too.

Obviously you can narrow the cookies down to wordpress and invision cookies only. 

Link to comment
Share on other sites

21 hours ago, Michael Collins said:

HI @Marc Stridgen

We've just had a support call with MiniOrange and demonstrated the issue. From their POV, the plugin is working as intended.

Is there a way to add a custom logout url redirect endpoint for the OAuth client in Invision?

Because what is currently happening is that Invision is logging the user out, then redirecting to Wordpress, where a valid WP session is detected and the OAuth Server is then logging the user back into Invision.

If we could have a custom endpoint after the Invision logout, we could then ensure that the user is logged out of Wordpress as well - and our problem would be solved.

I'm about to go into two consecutive meetings, but I will add a video later today to demonstrate what is happening - to illustrate the above request.

I understand what you are saying there, however we do not support the logoff endpoint

Link to comment
Share on other sites

@Marc Stridgen, Mike Collins here. You've been mainly speaking to our developer Ben.  I'm not really getting much from your answers and replies here. So are you saying that our issue is completely normal and expected or that we have some strange unique usecase that you don't cover?

@balazsp thank you for offering that, I appreciate the help.

Link to comment
Share on other sites

2 hours ago, Michael Collins said:

So are you saying that our issue is completely normal and expected or that we have some strange unique usecase that you don't cover?

Yes that is correct. We do not offer OAauth signout capability. I understand that the wordpress plugin there does, however its not part of OAuth. Its something they are providing themselves.

Link to comment
Share on other sites

1 hour ago, Michael Collins said:

So you provide instructions to have a single sign on but there is no possibility to sign out? That seems pretty strange doesn't it?

We provide the ability to connect to a logon method via oauth, however dont provide a method to sign out of the oauth source no

Link to comment
Share on other sites

OK, thanks.

I would also note that Invision's recommended provider for WordPress SSO, MiniOrange, is incredibly expensive as it doesn't have a pricing structure that considers membership sites' typical use cases for connecting to forums like Invision.

You pay MiniOrange per WordPress user rather than users that have signed-in in a certain time period. This means that the cost goes up forever unless you start deleting users from the WordPress database. So to me, it doesn't seem like a great fit and if there was an alternative out there that Invision would recommend it would be good to know.

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...