Switch implicit flow to hybrid flow and correct Management API scopes #546
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
This PR switches the Implicit login flow to use "hybrid" auth. The new flow uses
response_mode=form_post
to POST theid_token
andstate
values directly to the callback URL, skipping the wp-login.php processing. The callback will still accept bothtoken
andid_token
POST values to retain existing functionality. The ID token will contain anonce
which is stored in a cookie and validated when returned (see #536 for more discussion about this).implicit-login.js
from the wp-login.php page; removed the script entirely.WP_Auth0_Lock10_Options::get_callback_protocol()
to look for forced callback setting (this was being ignored in the implicit callback before)WP_Auth0_Lock10_Options::get_implicit_callback_url()
to use main callback instead of wp-login.phpresponse_mode=form_post
toWP_Auth0_LoginManager::get_authorize_params()
to preserve ULP functionalityresponse_mode=form_post
toWP_Auth0_Lock10_Options::get_lock_options()
More info on hybrid flow
Hybrid flow is similar to the implicit grant flow except the the response from the authorization server is a POST to the application back-end instead of in an HTML fragment. This is done by passing
response_mode=form_post
when the Implicit Flow setting is turned on. Hybrid flow often usesresponse_type=code id_token
butcode
can be omitted if an authorization code is not needed.References
form_post
Testing
Checklist