Configuring Logout when using miniOrange OAuth / OpenID Connect Server on Wordpress

[Michael Collins]

We've implemented SSO using the Wordpress plugin from miniOrange.

 https://invisioncommunity.com/4guides/members-and-groups/social-sign-in/wordpress-r304/ 

We've managed to get it working effectively, except for a glitch when logging out.

You can see from the attached screenshot that users are being directed to a Logout URL, but then seem to be being logged back in and directed to where they came from. To the user, it just seems as if they cannot log out.

We spoke to the MiniOrange support, who came back with the following:

"Can you please confirm whether the OIDC single logout URL has been properly set up in the Invision Community app?  Additionally, I wanted to bring your attention to the option of adding the "post_logout_redirect_uri" parameter, which allows for the redirection of users after logout. The OIDC logout URL should be in the format:
https://your_site_name.com/wp-json/moserver/logout?post_logout_redirect_uri=https://enter_url_where_you_want_users_to_redirect_after_logout
Could you please verify whether the OIDC single logout URL has been configured correctly in the Invision Community App? If it is not yet set up, I kindly request that you update it."

 

We were unable to see an OIDC single logout URL field anywhere in the admin. After going back to miniOrange support, today they suggested contacting Invision Support for assistance. Please could you shed some light on this.

 

Edited May 16, 2023 by Michael Collins

[Marc Stridgen]

We would need to look further into this for you, however the access details on file appear to be incorrect or missing. Could you please update these details by visiting your client area, selecting the relevant purchase, then clicking "Review/Update Access Information" under the "Stored Access Information" section. 

We look forward to further assisting you. 

 

[Michael Collins]

Thanks Marc.

We have this installed on our dev environment only at the moment - which is on a separate server. I've updated the access details to reflect that - including SFTP and Admin CP.

Please let me know if there is anything else you need from me.

Thanks once again.

[Marc Stridgen]

Speaking to my colleague the issue here is that OAuth doesn't have single logout, unfortunately, so it not something you would be able to implement.

[Michael Collins]

HI Marc. This doesn't really add up. The issue isn't that there is no single logout - it's that if you try to logout of the forum, it appears that Wordpress then logs you in again - all without any user interaction. See the above screen shot of 301/203 redirects.

As miniOrange support have referred us to you, can you give us something with which to go back to miniOrange support, please?

Aside from the logout issue - we have this working to our satisfaction. We just need to get this resolved.

Edited May 23, 2023 by Michael Collins

[Marc Stridgen]

Visiting your page, you dont actually appear to be using our OAuth solution to sign in there. Do you perhaps have another SSO solution installed?

[Michael Collins]

You are looking at the dev site specified in our access settings, aren't you?

This is the setup we've implemented:

 

[Marc Stridgen]

Ah, no problem. However the same question would apply here. Do you have anything else set up, other than this?

[Michael Collins]

@Marc Stridgen, I would really like to have a discussion face to face on a call where we can show you our issue directly. Can we set this up? We're happy to pay for the support. 

[Marc Stridgen]

We do not provide face to face support unfortunately. Feel free to record the screen if needed, if you need to emphasise more what is happening  there

[Michael Collins]

Thanks Marc. We are in the process of setting up a Google Meet with miniOrange Support. We will video the call  - which will include a screen share of the problem being demonstrated. Hopefully that will help to resolve this issue.

[Marc Stridgen]

Just a screen record of the issue will do for the time being, rather than sharing a whole meeting

[Michael Collins]

OK - will do. I will sort that this afternoon.

Kind regards

Ben

[Michael Collins]

HI @Marc Stridgen

We've just had a support call with MiniOrange and demonstrated the issue. From their POV, the plugin is working as intended.

Is there a way to add a custom logout url redirect endpoint for the OAuth client in Invision?

Because what is currently happening is that Invision is logging the user out, then redirecting to Wordpress, where a valid WP session is detected and the OAuth Server is then logging the user back into Invision.

If we could have a custom endpoint after the Invision logout, we could then ensure that the user is logged out of Wordpress as well - and our problem would be solved.

I'm about to go into two consecutive meetings, but I will add a video later today to demonstrate what is happening - to illustrate the above request.

Edited May 25, 2023 by Michael Collins

[balazsp]

@Michael Collins

It's just an idea, have not tested it yet, but if you create a .htaccess redirect rule for

https://test.com/forum/logout/  to  /logout.php

and the php script has something like

<?php
// Set the expiration time in the past to delete the cookie
$expiration = time() - 3600; // Set it to an hour ago

// Retrieve all cookies for the domain
$cookies = $_COOKIE;

// Loop through each cookie and delete it
foreach ($cookies as $cookie_name => $cookie_value) {
    // Set the cookie with an expiration time in the past
    setcookie($cookie_name, '', $expiration, '/', 'test.com');
    // Also unset the cookie from the $_COOKIE array
    unset($_COOKIE[$cookie_name]);
}
?> 

technically it would log the user out of wordpress AND invision forum too.

Obviously you can narrow the cookies down to wordpress and invision cookies only. 

[Marc Stridgen]

21 hours ago, Michael Collins said:

HI @Marc Stridgen

We've just had a support call with MiniOrange and demonstrated the issue. From their POV, the plugin is working as intended.

Is there a way to add a custom logout url redirect endpoint for the OAuth client in Invision?

Because what is currently happening is that Invision is logging the user out, then redirecting to Wordpress, where a valid WP session is detected and the OAuth Server is then logging the user back into Invision.

If we could have a custom endpoint after the Invision logout, we could then ensure that the user is logged out of Wordpress as well - and our problem would be solved.

I'm about to go into two consecutive meetings, but I will add a video later today to demonstrate what is happening - to illustrate the above request.

I understand what you are saying there, however we do not support the logoff endpoint

[Michael Collins]

@Marc Stridgen, Mike Collins here. You've been mainly speaking to our developer Ben.  I'm not really getting much from your answers and replies here. So are you saying that our issue is completely normal and expected or that we have some strange unique usecase that you don't cover?

@balazsp thank you for offering that, I appreciate the help.

[Marc Stridgen]

2 hours ago, Michael Collins said:

So are you saying that our issue is completely normal and expected or that we have some strange unique usecase that you don't cover?

Yes that is correct. We do not offer OAauth signout capability. I understand that the wordpress plugin there does, however its not part of OAuth. Its something they are providing themselves.

[Michael Collins]

So you provide instructions to have a single sign on but there is no possibility to sign out? That seems pretty strange doesn't it?

[Marc Stridgen]

1 hour ago, Michael Collins said:

So you provide instructions to have a single sign on but there is no possibility to sign out? That seems pretty strange doesn't it?

We provide the ability to connect to a logon method via oauth, however dont provide a method to sign out of the oauth source no

[Michael Collins]

Is there any plan to change this? We have found a workaround for now but I would prefer not to have custom code handling these things where possible. It seems like it is a missing part of the system.

[Marc Stridgen]

There are no plans for this at the present time

[Michael Collins]

OK, thanks.

I would also note that Invision's recommended provider for WordPress SSO, MiniOrange, is incredibly expensive as it doesn't have a pricing structure that considers membership sites' typical use cases for connecting to forums like Invision.

You pay MiniOrange per WordPress user rather than users that have signed-in in a certain time period. This means that the cost goes up forever unless you start deleting users from the WordPress database. So to me, it doesn't seem like a great fit and if there was an alternative out there that Invision would recommend it would be good to know.

[Marc Stridgen]

As we provide the ability to use OAuth 2, then it would be any OAuth 2 provider really. Im not sure of the names of any specific ones for wordpress myself, but Im sure there are likely others