-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Disable built-in WordPress login / password reset / signup #478
base: develop
Are you sure you want to change the base?
Conversation
Adds an option to completely disable WordPress built-in functionality for login (with username/password), password reset, and signup (registration). All of these functions will be provided by the configured Identity Provider.
How / where can this be done? I didn't find anything related in the repo, am I missing something?
Which tasks should be run to perform this? There are several tasks in |
So, we haven't developed the test suite yet so that first item can be ignored. As for testing locally it just means that regards to what has been described for the testing instructions have you performed these steps locally as well. |
Thanks @timnolte , it makes sense now. |
Just noting that most of the plugin settings can be configured via constants. This means that changing the configuration is as simple as updating your |
Yes, I had the same thinking which is why I deleted my comment a mere moment after posting it. Didn't think anyone could read it haha. |
@miguel-rn I am not clear why you aren't configuring the plugin to use Auto instead of Button. It seems like the Auto setting should already be taking care of all of this. |
Hiding the password reset / signup field would make much sense not oly for the |
Hello! I was curious if this PR is still a WIP, we were hoping to use this plugin but have a security requirement all methods of authentication are disabled outside of OIDC. |
@gg-gg-gg-gg have you tested with using the Auto mode for login? This already effectively makes it required to use OIDC as the only means to login. |
Yes, the way I tested was
|
All Submissions:
Changes proposed in this Pull Request:
Adds a setting
Disable WordPress login and signup forms
when all user management should be delegated to Identity Provider and it shouldn't be possible to login from within WordPress. Details are summarized in #477When enabled:
wp-login.php
) is disabledwp-login.php?action=register
) is disabled; when user exists only within Identity Provider but not in WordPress, settingCreate user if they do not exist
is still applied (no change here)wp-login.php?action=lostpassword
) is disabledwp-login.php
to prevent user confusionSetting
OIDC_DISABLE_WP_LOGIN_AND_SIGNUP
is introduced.Closes #477.
How to test the changes in this Pull Request:
wp-login.php
. It is possible to login with WordPress username/password.Disable WordPress login and signup forms
totrue
.wp-login.php
. The login form is not available anymore. Also links to Signup and Password reset and removed.Other information:
Changelog entry