hooks not working if part of the site is under VPN

[Matteo182]

I have the website where some pages are under VPN so not accessible even if you don't enter via VPN.

After login I used this hook: 'openid-connect-generic-redirect-user-back' and I hooked a function where if a user is of a certain type it takes him to a specific page. If, on the other hand, it is on a payment page I have to leave it on this page and then check the $redirect_url variable.
The thing works perfectly if I turn on the VPN from my PC, but if I turn off my VPN the function that I hooked to the hook does not work, or rather it is no longer called. So to be safe I put a log before the start of the hook in your plugin by checking the variable $redirect_url, which in normal situation is filled with the url of the page I am logging in from, but when the VPN is off this variable is empty.
Can you tell me what it can be caused by? why is the variable empty with the VPN off? and why doesn't this Hook work if I don't have a VPN?

thank you so much

this is the code that works with VPN on, it's quite simple so I don't think the problem is the code, also because it is not executed:

add_action( 'openid-connect-generic-redirect-user-back','keycloak_redirect_user_back', 10, 2 );

function keycloak_redirect_user_back( $redirect_url, $user ) {
$u = new mygUserModel( $user->ID );

	if ($u->getRole() !== 'inattivo') {
		if(isset($redirect_url)){
			if (stripos($redirect_url,"prenota") === false && stripos($redirect_url,"dona") === false){
			
				wp_redirect( '/dashboard' );
				exit;
			}else{
				return $redirect_url;
			}
		}
		
	}else{
		$conferma_privacy = get_page_by_path( 'conferma-privacy' );
		$redirect_url = get_permalink( $conferma_privacy ) ? get_permalink( $conferma_privacy ) : '/';
	    return $redirect_url;
	}
}

[Matteo182]

i tried to put the redirect url via shortcode like this

/* setto il cookie con l'url della pagian attuale */
$url = "https://";
$url.= $_SERVER['HTTP_HOST'];

$url.= $_SERVER['REQUEST_URI'];

$url.='dashboard';

echo do_shortcode( '[openid_connect_generic_login_button redirect_to="'.$url.'"]' );

but for some reason the redirection url is modified and brings me back to home, the flag 'Redirect Back to Origin Page' in the options is flagged, but if is'nt flagged the plugin redirect me in home.

the atts in short code don't function ?

[timnolte]

@Matteo182 so the correct attribute for supplying your own redirect is redirect_uri.

[timnolte]

@Matteo182 actually, as I was tracing through the code I think I may have found where a problem was caused when I had added the ability to set a redirect on the shortcodes. I had mistakenly got crossed redirect_to and redirect_url. Those are 2 different things at play between what should be the redirect URL on the WP site vs the redirect URL that the IDP needs to get back to the WP site. I still think that making the move away from the cookies is the right change to make.

[Matteo182]

@timnolte yes you are right, the url passed to the shortcode does not go to the redirect. In any case, if the problem you encounter in other sites is the same as in my case, you have to leave the cookie system. If you need help tell me, I can rewrite my code in a cleaner way and commit it to a branch of your project.

[timnolte]

@Matteo182 so one thing I think you are running into is that the way the redirect functionality is working, or in some cases not working, is because it is relying on Cookies to manage this. I am faced with this issue on one of a clients sites, where the other 30+ sites all work fine, the redirect cookie is generated, but this one all of a sudden is not generating/setting the cookie. I will most likely be looking to change this functionality to no longer use a cookie but use the state of the OIDC login, which is generated on the WordPress site and handed back to WordPress after the IDP completes the authentication. This will mean needing to manage the state via most likely the database, or WordPress transients, but should address any issues that cause cookies from not getting set and preventing the redirection from working correctly.

[Matteo182]

I made this change to use transients:

with this said the transient before the login form:

/* setto attributo short code con url della pagina */
$url = "https://";
$url.= $_SERVER['HTTP_HOST'];

$url.= $_SERVER['REQUEST_URI'];

set_transient ('redirect_url', $url, 1 * HOUR_IN_SECONDS )

this is the change in the plugin code:

$redirect_url = isset( $_COOKIE[ $this->cookie_redirect_key ] ) ? esc_url_raw( $_COOKIE[ $this->cookie_redirect_key ] ) : false;

           /* my custom code */
	if(empty($redirect_url)){
		$redirect_url = (string)get_transient('redirect_url');
		delete_transient('redirect_url');
	}

	if ( $this->settings->redirect_user_back && ! empty( $redirect_url ) ) {
		do_action( 'openid-connect-generic-redirect-user-back', $redirect_url, $user );
		setcookie( $this->cookie_redirect_key, $redirect_url, 1, COOKIEPATH, COOKIE_DOMAIN, is_ssl() );
		$this->logger->log( "url redirect dopo login: {$redirect_url}", 'login-success' );
		wp_redirect( $redirect_url );
	}  else { // Otherwise, go home!
		wp_redirect( home_url() );
	} 

[timnolte]

So while this essentially may work this is not being tied to the state for the specific user/login, and essentially would be a global redirect, and the redirect can incorrectly get changed by any other uses, like with shortcodes that supply a custom redirect URL for that specific use case. I am assuming at least from a proof of concept standpoint that this code changed worked for you?

[Matteo182]

yes for me it's working, I'm doing some tests but in general it works, if you have a better solution that you will put in your plugin please tell me so that I can modify my code too.

[Matteo182]

Hi @timnolte , I found that it doesn't work fully with transients, because unfortunately I used the session id to distinguish the transients of one user from the other. However it seems that the session in production is not working due to the vpn.
So the biggest flaw is that I only have one transient and if two users cross each other during login, the redirection urls are intertwined.

do you have another idea? how can i create different transient for each user? Or do you have an idea with which I can pass a different url redirect depending on the login page I am on?

Hoping to hear from you soon

thank you so much

[timnolte]

@Matteo182 so I have a code change in progress that directly ties a redirect to the state that is generated when forming the authentication URL. The state is generated uniquely for every request.

openid-connect-generic/includes/openid-connect-generic-client.php

Line 355 in c839083

$state = md5( mt_rand() . microtime( true ) );

There is a very slim chance that a state could get reuses except in the case of aggressive caching. My intent will be to make my code changes backwards compatible with any existing uses of the plugin, where the cookie might be explicitly being set outside of the plugin via JavaScript, or using any of the hooks or shortcodes.

[Matteo182]

hello @timnolte , thanks for your help

ok , in practice I created a transient with an array where I insert the $state as $key and url.

add_filter('openid-connect-generic-auth-url', function ( $url ) {
$tdm_redirect_url= array();

	$tdm_redirect_url = get_transient('tdm_redirect_url');

	$redirect_url = "https://";   
	$redirect_url.= $_SERVER['HTTP_HOST'];   

	$redirect_url.= $_SERVER['REQUEST_URI'];

	// Add some custom data to the url. state=5dc97ec44583f32aa75a26736f0d10c1
	$url_components = parse_url($url);

    parse_str($url_components['query'], $params);
	$tdm_redirect_url[$params['state']] = $redirect_url;

	set_transient ('tdm_redirect_url', $tdm_redirect_url, 1 * HOUR_IN_SECONDS );

	return $url;
}

in file openid-connect-generic-client-wrapper.php check if the state exists like you do in check_state(), cycling through the array of states and urls I created.
if i find the status as a key then i take the url and put it in the $ redirect_url.

// prendi il valore di $state nell'url di ritorno

		$tdm_redirect_url = get_transient('tdm_redirect_url');

		// verifico se lo stato è valido 
		foreach ($tdm_redirect_url as $key => $url){

			$state_found = true;

			if ( ! get_option( '_transient_openid-connect-generic-state--' . $key ) ) {
				$state_found = false;
			}

			$valid = get_transient( 'openid-connect-generic-state--' . $key );


			if ( $valid == $key && $state_found ) {
				$redirect_url = $url;
				unset($tdm_redirect_url[$key]);
				set_transient ('tdm_redirect_url', $tdm_redirect_url, 1 * HOUR_IN_SECONDS );
				break;
			}

I did some tests it seems to work better than before, but I still have to try in production, what do you think?

thank you very much