Changeset 3458536

Timestamp:

02/10/2026 10:58:40 PM (7 weeks ago)

Author:

daggerhart

Message:

Update to version 3.10.4 from GitHub

Location:

daggerhart-openid-connect-generic

Files:

• tags/3.10.4 (copied) (copied from daggerhart-openid-connect-generic/trunk)
• tags/3.10.4/includes/openid-connect-generic-client-wrapper.php (modified) (2 diffs)
• tags/3.10.4/includes/openid-connect-generic-client.php (modified) (1 diff)
• tags/3.10.4/openid-connect-generic.php (modified) (3 diffs)
• tags/3.10.4/readme.txt (modified) (2 diffs)
• trunk/includes/openid-connect-generic-client-wrapper.php (modified) (2 diffs)
• trunk/includes/openid-connect-generic-client.php (modified) (1 diff)
• trunk/openid-connect-generic.php (modified) (3 diffs)
• trunk/readme.txt (modified) (2 diffs)

daggerhart-openid-connect-generic/tags/3.10.4/includes/openid-connect-generic-client-wrapper.php

@@ -441 +441 @@
 
         if ( is_wp_error( $authentication_request ) ) {
+            // Check if this is a retryable IDP error (e.g. Safari ITP causing
+            // Keycloak session cookies to be blocked on cross-site navigation).
+            $retryable_idp_errors = array(
+                'temporarily_unavailable',
+                'authentication_expired',
+                'login_required',
+            );
+
+            $error_code = $authentication_request->get_error_code();
+            $is_retryable = in_array( $error_code, $retryable_idp_errors, true );
+            $already_retried = isset( $_GET['openid-connect-generic-retry'] );
+
+            if ( $is_retryable && ! $already_retried ) {
+                // Log the original error before retrying.
+                $this->logger->log( $authentication_request, 'retry' );
+                $this->logger->log( "Retrying authentication due to IDP error: {$error_code}", 'retry' );
+
+                // Build a fresh authentication URL and append a retry flag
+                // to prevent infinite redirect loops (max 1 retry).
+                $auth_url = $this->get_authentication_url();
+                $auth_url = add_query_arg( 'openid-connect-generic-retry', '1', $auth_url );
+
+                wp_redirect( $auth_url );
+                exit;
+            }
+
             $this->error_redirect( $authentication_request );
         }
@@ -727 +753 @@
      */
     public function get_user_by_identity( $subject_identity ) {
+        global $wpdb;
+
         // Look for user by their openid-connect-generic-subject-identity value.
         $user_query = new WP_User_Query(
             array(
                 'meta_query' => array(
+                    'relation' => 'OR',
                     array(
                         'key'   => 'openid-connect-generic-subject-identity',
+                        'value' => $subject_identity,
+                    ),
+                    array(
+                        'key'   => $wpdb->get_blog_prefix() . 'openid-connect-generic-subject-identity',
                         'value' => $subject_identity,
                     ),

daggerhart-openid-connect-generic/tags/3.10.4/includes/openid-connect-generic-client.php

@@ -163 +163 @@
         // Look for an existing error of some kind.
         if ( isset( $request['error'] ) ) {
-            return new WP_Error( 'unknown-error', 'An unknown error occurred.', $request );
+            $error_code = sanitize_text_field( $request['error'] );
+            $error_message = 'An unknown error occurred.';
+
+            // Use the IDP's error description if available for better diagnostics.
+            if ( ! empty( $request['error_description'] ) ) {
+                $error_message = sprintf(
+                    'IDP error %s: %s',
+                    $error_code,
+                    sanitize_text_field( $request['error_description'] )
+                );
+            }
+
+            return new WP_Error( $error_code, $error_message, $request );
         }
 

daggerhart-openid-connect-generic/tags/3.10.4/openid-connect-generic.php

@@ -17 +17 @@
  * Plugin URI:        https://github.com/oidc-wp/openid-connect-generic
  * Description:       Connect to an OpenID Connect identity provider using Authorization Code Flow.
- * Version:           3.10.3
+ * Version:           3.10.4
  * Requires at least: 5.0
  * Requires PHP:      7.4
@@ -60 +60 @@
   Callable actions
 
-  User Meta
-  - openid-connect-generic-subject-identity    - the identity of the user provided by the idp
-  - openid-connect-generic-last-id-token-claim - the user's most recent id_token claim, decoded
-  - openid-connect-generic-last-user-claim     - the user's most recent user_claim
-  - openid-connect-generic-last-token-response - the user's most recent token response
+  User Meta (since v3.10.4 prefixed with the blog database prefix, for example wp_2_openid-connect-generic-subject-identity)
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-subject-identity    - the identity of the user provided by the idp
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-last-id-token-claim - the user's most recent id_token claim, decoded
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-last-user-claim     - the user's most recent user_claim
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-last-token-response - the user's most recent token response
 
   Options
@@ -94 +94 @@
      * @var string
      */
-    const VERSION = '3.10.3';
+    const VERSION = '3.10.4';
 
     /**

daggerhart-openid-connect-generic/tags/3.10.4/readme.txt

@@ -4 +4 @@
 Requires at least: 5.0
 Tested up to: 6.9.0
-Stable tag: 3.10.3
+Stable tag: 3.10.4
 Requires PHP: 7.4
 License: GPLv2 or later
@@ -50 +50 @@
 
 == Changelog ==
+
+= 3.10.4 =
+
+* Fix issue with finding users on multisite after switch to user options in place of user meta.
+* Improvement: Retry logins for some IDP errors to bypass issue with Safari ITP. Also improves display of error messages that come from the IDP.
 
 = 3.10.3 =

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client-wrapper.php

@@ -441 +441 @@
 
         if ( is_wp_error( $authentication_request ) ) {
+            // Check if this is a retryable IDP error (e.g. Safari ITP causing
+            // Keycloak session cookies to be blocked on cross-site navigation).
+            $retryable_idp_errors = array(
+                'temporarily_unavailable',
+                'authentication_expired',
+                'login_required',
+            );
+
+            $error_code = $authentication_request->get_error_code();
+            $is_retryable = in_array( $error_code, $retryable_idp_errors, true );
+            $already_retried = isset( $_GET['openid-connect-generic-retry'] );
+
+            if ( $is_retryable && ! $already_retried ) {
+                // Log the original error before retrying.
+                $this->logger->log( $authentication_request, 'retry' );
+                $this->logger->log( "Retrying authentication due to IDP error: {$error_code}", 'retry' );
+
+                // Build a fresh authentication URL and append a retry flag
+                // to prevent infinite redirect loops (max 1 retry).
+                $auth_url = $this->get_authentication_url();
+                $auth_url = add_query_arg( 'openid-connect-generic-retry', '1', $auth_url );
+
+                wp_redirect( $auth_url );
+                exit;
+            }
+
             $this->error_redirect( $authentication_request );
         }
@@ -727 +753 @@
      */
     public function get_user_by_identity( $subject_identity ) {
+        global $wpdb;
+
         // Look for user by their openid-connect-generic-subject-identity value.
         $user_query = new WP_User_Query(
             array(
                 'meta_query' => array(
+                    'relation' => 'OR',
                     array(
                         'key'   => 'openid-connect-generic-subject-identity',
+                        'value' => $subject_identity,
+                    ),
+                    array(
+                        'key'   => $wpdb->get_blog_prefix() . 'openid-connect-generic-subject-identity',
                         'value' => $subject_identity,
                     ),

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client.php

@@ -163 +163 @@
         // Look for an existing error of some kind.
         if ( isset( $request['error'] ) ) {
-            return new WP_Error( 'unknown-error', 'An unknown error occurred.', $request );
+            $error_code = sanitize_text_field( $request['error'] );
+            $error_message = 'An unknown error occurred.';
+
+            // Use the IDP's error description if available for better diagnostics.
+            if ( ! empty( $request['error_description'] ) ) {
+                $error_message = sprintf(
+                    'IDP error %s: %s',
+                    $error_code,
+                    sanitize_text_field( $request['error_description'] )
+                );
+            }
+
+            return new WP_Error( $error_code, $error_message, $request );
         }
 

daggerhart-openid-connect-generic/trunk/openid-connect-generic.php

@@ -17 +17 @@
  * Plugin URI:        https://github.com/oidc-wp/openid-connect-generic
  * Description:       Connect to an OpenID Connect identity provider using Authorization Code Flow.
- * Version:           3.10.3
+ * Version:           3.10.4
  * Requires at least: 5.0
  * Requires PHP:      7.4
@@ -60 +60 @@
   Callable actions
 
-  User Meta
-  - openid-connect-generic-subject-identity    - the identity of the user provided by the idp
-  - openid-connect-generic-last-id-token-claim - the user's most recent id_token claim, decoded
-  - openid-connect-generic-last-user-claim     - the user's most recent user_claim
-  - openid-connect-generic-last-token-response - the user's most recent token response
+  User Meta (since v3.10.4 prefixed with the blog database prefix, for example wp_2_openid-connect-generic-subject-identity)
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-subject-identity    - the identity of the user provided by the idp
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-last-id-token-claim - the user's most recent id_token claim, decoded
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-last-user-claim     - the user's most recent user_claim
+  - [[BLOG_DB_PREFIX]]openid-connect-generic-last-token-response - the user's most recent token response
 
   Options
@@ -94 +94 @@
      * @var string
      */
-    const VERSION = '3.10.3';
+    const VERSION = '3.10.4';
 
     /**

daggerhart-openid-connect-generic/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 5.0
 Tested up to: 6.9.0
-Stable tag: 3.10.3
+Stable tag: 3.10.4
 Requires PHP: 7.4
 License: GPLv2 or later
@@ -50 +50 @@
 
 == Changelog ==
+
+= 3.10.4 =
+
+* Fix issue with finding users on multisite after switch to user options in place of user meta.
+* Improvement: Retry logins for some IDP errors to bypass issue with Safari ITP. Also improves display of error messages that come from the IDP.
 
 = 3.10.3 =