Respect redirect_to param to wp-login.php with Azure logins

figureone · figureone · commit a3d28a91c4ef · 2022-11-02T15:54:55.000-10:00
diff --git a/src/authorizer/class-authentication.php b/src/authorizer/class-authentication.php
@@ -404,6 +404,18 @@ function ( $entry ) {
 			// See: https://github.com/thenetworg/oauth2-azure.
 			session_start();
 			try {
+				// Save the redirect URL for WordPress so we can restore it after a
+				// successful login (note: we can't add the redirect_to querystring
+				// param to the redirectUri param below because it won't match the
+				// approved URI set in the Azure portal).
+				$login_querystring = array();
+				if ( isset( $_SERVER['QUERY_STRING'] ) ) {
+					parse_str( $_SERVER['QUERY_STRING'], $login_querystring ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+				}
+				if ( isset( $login_querystring['redirect_to'] ) ) {
+					$_SESSION['azure_redirect_to'] = $login_querystring['redirect_to'];
+				}
+
 				$provider = new \TheNetworg\OAuth2\Client\Provider\Azure( array(
 					'clientId'     => $auth_settings['oauth2_clientid'],
 					'clientSecret' => $auth_settings['oauth2_clientsecret'],
diff --git a/src/authorizer/class-wp-plugin-authorizer.php b/src/authorizer/class-wp-plugin-authorizer.php
@@ -60,6 +60,9 @@ public function __construct() {
 			add_filter( 'login_errors', array( Login_Form::get_instance(), 'show_advanced_login_error' ) );
 		}
 
+		// Redirect to wp-login.php?redirect_to=? destination after an Azure login.
+		add_filter( 'login_redirect', array( Options\External\OAuth2::get_instance(), 'maybe_redirect_after_azure_login' ), 10, 2 );
+
 		// Enable localization. Translation files stored in /languages.
 		add_action( 'plugins_loaded', array( $this, 'load_textdomain' ) );
 
diff --git a/src/authorizer/options/external/class-oauth2.php b/src/authorizer/options/external/class-oauth2.php
@@ -263,4 +263,21 @@ public function print_text_oauth2_url_resource( $args = '' ) {
 		<?php
 	}
 
+
+	/**
+	 * Restore any redirect_to value saved during an Azure login (in the
+	 * `authenticate` hook). This is needed since the Azure portal needs an
+	 * approved URI to visit after logging in, and cannot have a variable
+	 * redirect_to param in it like the normal WordPress redirect flow.
+	 *
+	 * @hook login_redirect
+	 */
+	public function maybe_redirect_after_azure_login( $redirect_to ) {
+		if ( ! empty( $_SESSION['azure_redirect_to'] ) ) {
+			$redirect_to = $_SESSION['azure_redirect_to'];
+		}
+
+		return $redirect_to;
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,9 @@ public function __construct() {`
`60`	`60`	`add_filter( 'login_errors', array( Login_Form::get_instance(), 'show_advanced_login_error' ) );`
`61`	`61`	`}`
`62`	`62`
	`63`	`+ // Redirect to wp-login.php?redirect_to=? destination after an Azure login.`
	`64`	`+ add_filter( 'login_redirect', array( Options\External\OAuth2::get_instance(), 'maybe_redirect_after_azure_login' ), 10, 2 );`
	`65`	`+`
`63`	`66`	`// Enable localization. Translation files stored in /languages.`
`64`	`67`	`add_action( 'plugins_loaded', array( $this, 'load_textdomain' ) );`
`65`	`68`