some feature for wordpress plugin

[stephenwongcandr]

1. is that possible to regenerate the session id after clicking logout?
2. how can federated logout the account without invalid state? (since I added the federated logout
3. when I using universal login page, it will pass the parameters in URL to authorize, is that possible to change it as post body instead of URL parameters? or the parameters is fine to read?

[evansims]

Hi @stephenwongcandr 👋 Thanks for your questions! Presumably you're using v4 of the plugin?

1. is that possible to regenerate the session id after clicking logout?

The WordPress plugin works off the native WP session, so you can hook into the wp_logout event to perform any extra actions you need. You'd need to refer to the WordPress API to determine if that's possible.

2. how can federated logout the account without invalid state? (since I added the federated logout

An invalid state occurs when a user lands on the callback route without a valid state and code. The callback route is only used for completing the authentication flow, after the user is returned from the Universal Login Page. Your logout shouldn't be returning the user to the callback route if that is the case.

when I using universal login page, it will pass the parameters in URL to authorize, is that possible to change it as post body instead of URL parameters? or the parameters is fine to read?

This is normal and not changeable. It's part of the design Authorization Code Flow. The WordPress plugin is considered a confidential client, as it stores the secret server side. As such, the parameters are safe to send as parameters of a GET request, as they do not contain any dangerous secrets.