Michael Collins Posted May 16 Share Posted May 16 (edited) We've implemented SSO using the Wordpress plugin from miniOrange. https://invisioncommunity.com/4guides/members-and-groups/social-sign-in/wordpress-r304/ We've managed to get it working effectively, except for a glitch when logging out. You can see from the attached screenshot that users are being directed to a Logout URL, but then seem to be being logged back in and directed to where they came from. To the user, it just seems as if they cannot log out. We spoke to the MiniOrange support, who came back with the following: "Can you please confirm whether the OIDC single logout URL has been properly set up in the Invision Community app? Additionally, I wanted to bring your attention to the option of adding the "post_logout_redirect_uri" parameter, which allows for the redirection of users after logout. The OIDC logout URL should be in the format:https://your_site_name.com/wp-json/moserver/logout?post_logout_redirect_uri=https://enter_url_where_you_want_users_to_redirect_after_logout Could you please verify whether the OIDC single logout URL has been configured correctly in the Invision Community App? If it is not yet set up, I kindly request that you update it." We were unable to see an OIDC single logout URL field anywhere in the admin. After going back to miniOrange support, today they suggested contacting Invision Support for assistance. Please could you shed some light on this. Edited May 16 by Michael Collins Link to comment Share on other sites More sharing options...
Marc Stridgen Posted May 17 Share Posted May 17 We would need to look further into this for you, however the access details on file appear to be incorrect or missing. Could you please update these details by visiting your client area, selecting the relevant purchase, then clicking "Review/Update Access Information" under the "Stored Access Information" section. We look forward to further assisting you. Link to comment Share on other sites More sharing options...
Michael Collins Posted May 17 Author Share Posted May 17 Thanks Marc. We have this installed on our dev environment only at the moment - which is on a separate server. I've updated the access details to reflect that - including SFTP and Admin CP. Please let me know if there is anything else you need from me. Thanks once again. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted May 17 Share Posted May 17 Speaking to my colleague the issue here is that OAuth doesn't have single logout, unfortunately, so it not something you would be able to implement. Link to comment Share on other sites More sharing options...
Michael Collins Posted Tuesday at 10:46 AM Author Share Posted Tuesday at 10:46 AM (edited) HI Marc. This doesn't really add up. The issue isn't that there is no single logout - it's that if you try to logout of the forum, it appears that Wordpress then logs you in again - all without any user interaction. See the above screen shot of 301/203 redirects. As miniOrange support have referred us to you, can you give us something with which to go back to miniOrange support, please? Aside from the logout issue - we have this working to our satisfaction. We just need to get this resolved. Edited Tuesday at 10:46 AM by Michael Collins Link to comment Share on other sites More sharing options...
Marc Stridgen Posted Tuesday at 10:55 AM Share Posted Tuesday at 10:55 AM Visiting your page, you dont actually appear to be using our OAuth solution to sign in there. Do you perhaps have another SSO solution installed? Link to comment Share on other sites More sharing options...
Michael Collins Posted Tuesday at 12:16 PM Author Share Posted Tuesday at 12:16 PM You are looking at the dev site specified in our access settings, aren't you? This is the setup we've implemented: Link to comment Share on other sites More sharing options...
Marc Stridgen Posted Tuesday at 01:13 PM Share Posted Tuesday at 01:13 PM Ah, no problem. However the same question would apply here. Do you have anything else set up, other than this? Link to comment Share on other sites More sharing options...
Michael Collins Posted Tuesday at 04:01 PM Author Share Posted Tuesday at 04:01 PM @Marc Stridgen, I would really like to have a discussion face to face on a call where we can show you our issue directly. Can we set this up? We're happy to pay for the support. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted Wednesday at 07:29 AM Share Posted Wednesday at 07:29 AM We do not provide face to face support unfortunately. Feel free to record the screen if needed, if you need to emphasise more what is happening there Link to comment Share on other sites More sharing options...
Michael Collins Posted Wednesday at 12:59 PM Author Share Posted Wednesday at 12:59 PM Thanks Marc. We are in the process of setting up a Google Meet with miniOrange Support. We will video the call - which will include a screen share of the problem being demonstrated. Hopefully that will help to resolve this issue. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted Wednesday at 01:09 PM Share Posted Wednesday at 01:09 PM Just a screen record of the issue will do for the time being, rather than sharing a whole meeting Link to comment Share on other sites More sharing options...
Michael Collins Posted Wednesday at 01:17 PM Author Share Posted Wednesday at 01:17 PM OK - will do. I will sort that this afternoon. Kind regards Ben Link to comment Share on other sites More sharing options...
Michael Collins Posted Thursday at 11:47 AM Author Share Posted Thursday at 11:47 AM (edited) HI @Marc Stridgen We've just had a support call with MiniOrange and demonstrated the issue. From their POV, the plugin is working as intended. Is there a way to add a custom logout url redirect endpoint for the OAuth client in Invision? Because what is currently happening is that Invision is logging the user out, then redirecting to Wordpress, where a valid WP session is detected and the OAuth Server is then logging the user back into Invision. If we could have a custom endpoint after the Invision logout, we could then ensure that the user is logged out of Wordpress as well - and our problem would be solved. I'm about to go into two consecutive meetings, but I will add a video later today to demonstrate what is happening - to illustrate the above request. Edited Thursday at 11:49 AM by Michael Collins Link to comment Share on other sites More sharing options...
balazsp Posted Thursday at 11:36 PM Share Posted Thursday at 11:36 PM @Michael Collins It's just an idea, have not tested it yet, but if you create a .htaccess redirect rule for https://test.com/forum/logout/ to /logout.php and the php script has something like <?php // Set the expiration time in the past to delete the cookie $expiration = time() - 3600; // Set it to an hour ago // Retrieve all cookies for the domain $cookies = $_COOKIE; // Loop through each cookie and delete it foreach ($cookies as $cookie_name => $cookie_value) { // Set the cookie with an expiration time in the past setcookie($cookie_name, '', $expiration, '/', 'test.com'); // Also unset the cookie from the $_COOKIE array unset($_COOKIE[$cookie_name]); } ?> technically it would log the user out of wordpress AND invision forum too. Obviously you can narrow the cookies down to wordpress and invision cookies only. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted Friday at 09:01 AM Share Posted Friday at 09:01 AM 21 hours ago, Michael Collins said: HI @Marc Stridgen We've just had a support call with MiniOrange and demonstrated the issue. From their POV, the plugin is working as intended. Is there a way to add a custom logout url redirect endpoint for the OAuth client in Invision? Because what is currently happening is that Invision is logging the user out, then redirecting to Wordpress, where a valid WP session is detected and the OAuth Server is then logging the user back into Invision. If we could have a custom endpoint after the Invision logout, we could then ensure that the user is logged out of Wordpress as well - and our problem would be solved. I'm about to go into two consecutive meetings, but I will add a video later today to demonstrate what is happening - to illustrate the above request. I understand what you are saying there, however we do not support the logoff endpoint Link to comment Share on other sites More sharing options...
Michael Collins Posted Friday at 01:19 PM Author Share Posted Friday at 01:19 PM @Marc Stridgen, Mike Collins here. You've been mainly speaking to our developer Ben. I'm not really getting much from your answers and replies here. So are you saying that our issue is completely normal and expected or that we have some strange unique usecase that you don't cover? @balazsp thank you for offering that, I appreciate the help. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted Friday at 04:00 PM Share Posted Friday at 04:00 PM 2 hours ago, Michael Collins said: So are you saying that our issue is completely normal and expected or that we have some strange unique usecase that you don't cover? Yes that is correct. We do not offer OAauth signout capability. I understand that the wordpress plugin there does, however its not part of OAuth. Its something they are providing themselves. Link to comment Share on other sites More sharing options...
Recommended Posts