Admin Access

[d3cxxxx]

If we install this plugin, is there a way we can designate some users (logging in through OIDC) as administrators/editors and others as normal users/subscribers? Are there any specifc claims/groups/roles we can use (we use Keycloak as our OP) that will automatically enable those roles to the users? If that is possible, I can totally switch to OIDC logins only and remove wp logins altogether.

Our use-case is: We have an Angular based SPA whose documentation is in this protected WP site. We use a Keycloak OP and we want all users already logged into our SPA to be able to directly navigate to this documentation page (without having to click any buttons on the WP login site like we do now). Also, we want some of the users (staff) to be able to administer and/or edit the pages/documentation.

What is the best way to achieve this?

[timnolte]

@d3c1978 yes you can accomplish this with an additional bit of code. I have done this for someone that was also using Keycloak. You can find an example repository here: https://github.com/timnolte/oidc-keycloak-sso

[d3cxxxx]

Thanks for the pointer Tim. Is this a fork of the original plugin tailored for keycloak? Or is there some config/code I should use in our installation? Sorry for the question if it was obvious.

[timnolte]

So that code is what's called a Must Use Plugin, which is dropped in the wp-content/mu-plugins directory. That is essentially what you might call and add-on for the OpenID Connect Generic plugin. The code in that Must Use Plugin leverages the hooks that are available in the OpenID Connect Generic plugin to provide the additional role mapping functionality, and in that case specifically for a Keycloak IDP.

[d3cxxxx]

Thank you. I downloaded the zip file and unzipped it into the wp-content/mu-plugins directory (btw, that directory did not exist, so I created it and unzipped the files there, but did not get any updated fields in the settings.
Anyway, I worked around the problem for now by manually designating users with their specific roles and switch the login to always use SSO.

[timnolte]

So you didn't see any changes because there is only 1 file from the repository that is supposed not be put in the Must Use Plugins directory. You can put folders in there like the regular plugins directory.

[timnolte]

There is also some documentation regarding mapping roles from an IDP to WordPress roles in the Wiki, though it is specific code for Azure Active Directory. https://github.com/oidc-wp/openid-connect-generic/wiki/Azure-AD-Role-Mapping