Hello, how are you? I’m Rafael. A few months ago we purchased the WP OAuth Server – Pro plugin. We have version 4.2.3. The user who purchased the plugin is [email protected]. The site is https://abbviecare.es/

When trying to access the /oauth/introspection/ endpoint we get a 500 error. I’m attaching screenshots of the error. It would be very helpful if you could give us useful information to be able to solve the
problem.

I am using the Multiples Roles WP addon and would like to use that information for users logging in to my Nextcloud via an OAuth2 to the WP installation. Are the user’s roles included anywhere in some endpoint? How can I see where this information is included?

Using the Nextcloud Social login app, where I can specify a Groups claim setting.

I’m facing this issue when activating the plugin

[22-Jul-2024 17:52:21 UTC] PHP Warning: Undefined variable $res in D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\includes\functions.php on line 381 [22-Jul-2024 17:52:21 UTC] PHP Stack trace: [22-Jul-2024 17:52:21 UTC] PHP 1. {main}() D:\wamp\www\wordpress-6.5\wp-admin\plugins.php:0 [22-Jul-2024 17:52:21 UTC] PHP 2. activate_plugin($plugin = ‘oauth2-provider/wp-oauth-server.php’, $redirect = ‘https://localhost/wordpress-6.5/wp-admin/plugins.php?error=true&plugin=oauth2-provider%2Fwp-oauth-server.php’, $network_wide = FALSE, $silent = *uninitialized*) D:\wamp\www\wordpress-6.5\wp-admin\plugins.php:60 [22-Jul-2024 17:52:21 UTC] PHP 3. do_action($hook_name = ‘activate_oauth2-provider/wp-oauth-server.php’, …$arg = variadic(FALSE)) D:\wamp\www\wordpress-6.5\wp-admin\includes\plugin.php:703 [22-Jul-2024 17:52:21 UTC] PHP 4. WP_Hook->do_action($args = [0 => FALSE]) D:\wamp\www\wordpress-6.5\wp-includes\plugin.php:517 [22-Jul-2024 17:52:21 UTC] PHP 5. WP_Hook->apply_filters($value = ”, $args = [0 => FALSE]) D:\wamp\www\wordpress-6.5\wp-includes\class-wp-hook.php:348 [22-Jul-2024 17:52:21 UTC] PHP 6. WO_Server->setup(FALSE) D:\wamp\www\wordpress-6.5\wp-includes\class-wp-hook.php:324 [22-Jul-2024 17:52:21 UTC] PHP 7. WO_Server->install() D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\wp-oauth-main.php:229 [22-Jul-2024 17:52:21 UTC] PHP 8. wp_oauth_generate_server_keys($overwrite = *uninitialized*) D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\wp-oauth-main.php:344 [22-Jul-2024 17:52:21 UTC] PHP Fatal error: Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, null given in D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\includes\functions.php:381 Stack trace: #0 D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\includes\functions.php(381): openssl_pkey_get_details(NULL) #1 D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\wp-oauth-main.php(344): wp_oauth_generate_server_keys() #2 D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\wp-oauth-main.php(229): WO_Server->install() #3 D:\wamp\www\wordpress-6.5\wp-includes\class-wp-hook.php(324): WO_Server->setup(false) #4 D:\wamp\www\wordpress-6.5\wp-includes\class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array) #5 D:\wamp\www\wordpress-6.5\wp-includes\plugin.php(517): WP_Hook->do_action(Array) #6 D:\wamp\www\wordpress-6.5\wp-admin\includes\plugin.php(703): do_action(‘activate_oauth2…’, false) #7 D:\wamp\www\wordpress-6.5\wp-admin\plugins.php(60): activate_plugin(‘oauth2-provider…’, ‘https://localhos…’, false) #8 {main} thrown in D:\wamp\www\wordpress-6.5\wp-content\plugins\oauth2-provider\includes\functions.php on line 381

I just discovered that this plugin’s tables (wp_oauth_access_tokens & wp_oauth_refresh_tokens) are very large for one site. When I looked at them, I noticed something strange.

The number of rows is about 4M, but the distinct number of user IDs in this table is about 38K. I found one user who has 400k rows in the table.

I don’t have time to investigate what’s happening right now, but this doesn’t seem to be correct.

I think I can remove old rows?

Hi,
I bought a pro version of the plugin but am having issues with it.

1. Firstly, I can’t restore my account at https://wp-oauth.com/ – the password reset email doesn’t come.
2. Secondly, I’m having issue with the plugin itself. It seems that I have set everything up correctly, but I’m receiving the following error:
   SSO Disabled. Please contact the administrator
Error fetching access token

Hope you can help.

Thanks,
Victor

HI,
I have this errors: https://github.com/qtranslate/qtranslate-xt/issues/1395

caused by the latest updates of your plugin.

Is there a solution?

I just tried and deleted a test user from my wordpress site. The user was logged in and continued to use his refresh token to get new access tokens.
What is the best way to handle this?

• I expected you code to check if the user exists on a token refresh
• I assume I could use the wo_before_token_method hook and just die if the user doesn’t exist any more
• I assume I could just delete the user’s refresh tokens from the database when the user is deleted.

In other words can I have clients authenticating against different sites of a multisite WordPress installation?

hi

can i provide a wildcard url as callback url such as

*.mycrm.com/redirect/oauth_callback

This will allow all the tenants in a subdomain based saas application (with sepatrate subdomain for each tenant) such as client1.mycrm.com/tenant2.mycrm.com etc .. to login through wordpress OAUTH.

• This topic was modified 10 months, 3 weeks ago by mattrin.

When authenticating vs WP OAuth2 server using ‘authorization code’ flow, the base64 encoded state parameter is incorrectly modified by WP OAuth2 server. The redirect from my client code looks something like this:

https://www.mysite.com/oauth/authorize?response_type=code&client_id=xxxxxxxxxxxxxxxxxxxx&state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343%3D&redirect_uri=https://localhost:8080/login/oauth2/code/myclientname

When WP Oauth2 server provides the code for the next step in the flow, my client code does a GET to its own login endpoint:

GET [https://localhost:8080]/login/oauth2/code/myclientname?code=code_provided_by_WP_OAuth2_server&state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343&iframe=break

The %3D has been stripped.

%3D is base64 encoded ‘=’ which the state parameter value is padded with if it does not reach a certain length. Some client libraries will accept the padding character’s removal and others will not. Mine doesn’t. I worked around it by generating a hex encoded state parameter parameter value instead and that works.

But WP OAuth2 server should send back the state in its exact original form so that finding the saved request at the other end does not fail.

?Hello,

I have created my client, checked the “Authorisation code” as allowed grant type.

In settings, the “Enable OAuth Server” is checked.

curl -X GET ‘https://www.domain.com/oauth/authorize?client_id=XXXX&response_type=code’

It returns absolutely nothing, just blank body. I got the same with response with Postman.

With Chrome, I’m just redirected to the redirected URI I have setup in the client settings.

Any idea?

Hello,

I have created my client, checked the “Authorisation code” as allowed grant type (I use the free version, I only can select this one).

In settings, the “Enable OAuth Server” is checked.

So, to get the authorization code, according to the doc : https://wp-oauth.com/docs/general/grant-types/authorization-code/

I do this get request in my browser : https://www.mysite.com/oauth/authorize/?client_id=XXXXX&response_type=code

But I got : {“error”:”invalid_client”,”error_description”:”The client id supplied is invalid”}

Hi, i have deprecated warning with your plugin in PHP version 8.2.11

Deprecated: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in ...\wp-includes\functions.php on line?7127

It’s because of bad calling of add_submenu_page in public function add_page() {

Sollution is to set first parameter to blank string rather than null

add_submenu_page( null, 'Add Client', 'Add Client', 'manage_options', 'wo_add_client', 'wo_add_client_page' );
add_submenu_page( null, 'Edit Client', 'Edit Clients', 'manage_options', 'wo_edit_client', 'wo_admin_edit_client_page' );

Hi,

There is a copy-paste bug in your code on line 19 (as of version 4.3.2) in ‘wo-personal-data-gpdr.php’. You left (or copied) there ‘exporter_friendly_name’ instead of ‘eraser_friendly_name’ and this causes all data erasure requests in WordPress to fail with ‘Eraser array at index %d does not include a friendly name.’. I fixed it for me locally, but please – do it for everyone :-).

We haven’t seen any new versions recently, so I hope this project is alive and doing well as it is a one-of-a-kind solution for WordPress and a total lifesaver for us.

Greetings.

Warning: Undefined variable $res in C:\Users\Admin\Local Sites\socailself\app\public\wp-content\plugins\oauth2-provider\includes\functions.php on line 388

Fatal error: Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, null given in C:\Users\Admin\Local Sites\socailself\app\public\wp-content\plugins\oauth2-provider\includes\functions.php:388 Stack trace: #0 C:\Users\Admin\Local Sites\socailself\app\public\wp-content\plugins\oauth2-provider\includes\functions.php(388): openssl_pkey_get_details(NULL) #1 C:\Users\Admin\Local Sites\socailself\app\public\wp-content\plugins\oauth2-provider\wp-oauth-main.php(345): wp_oauth_generate_server_keys() #2 C:\Users\Admin\Local Sites\socailself\app\public\wp-content\plugins\oauth2-provider\wp-oauth-main.php(230): WO_Server->install() #3 C:\Users\Admin\Local Sites\socailself\app\public\wp-includes\class-wp-hook.php(310): WO_Server->setup(”) #4 C:\Users\Admin\Local Sites\socailself\app\public\wp-includes\class-wp-hook.php(334): WP_Hook->apply_filters(NULL, Array) #5 C:\Users\Admin\Local Sites\socailself\app\public\wp-includes\plugin.php(517): WP_Hook->do_action(Array) #6 C:\Users\Admin\Local Sites\socailself\app\public\wp-admin\plugins.php(194): do_action(‘activate_oauth2…’) #7 {main} thrown in C:\Users\Admin\Local Sites\socailself\app\public\wp-content\plugins\oauth2-provider\includes\functions.php on line 388

I have no tab ‘license’ under status menu to add/activate license.

Latest WP version install / php 8.0

Hello, is there any rest route or endpoint to add a new client and pass the necessary data to the body?
If yes, can you point me in the direction to locate it.
If no, how can i create one?

Hello Team Wp Auth Server

We have a problem with connection to Circle.so
Not every user can login with SSO.
I have contacted circle and they answered:
“

Thank you for providing the information requested! According to our logs, this is the error message triggered by SSO logins:



I’m also attaching the full stack trace to this ticket for reference.

Per our investigation, I could not find any mismatch between Circle and WordPress to justify this issue, but I’d suggest contacting WordPress support since the error seems to be coming from the SSO provider side. They should be able to help further with the information provided.

“
How could I investigate and fix the issue?
Could you help me pls.

Thank you!
Best Regards,
Dimitry

On June 18th I reported the regular php error:

WordPress database error Incorrect TIMESTAMP value: ‘1687072582’ for query DELETE FROM xxxxxxxxx_oauth_access_tokens WHERE expires <= ‘1687072582’  made by do_action_ref_array(‘wpo_global_cleanup’), WP_Hook->do_action, WP_Hook->apply_filters, wpo_global_cleanup_functionality

to [email protected].

On June 18th I was asked by support to send some more info which I did immediately. Since then I sent 4 emails asking the status of the topic as I’d like to go productive soon.

Not a single answer.

I’m deeply disappointed.

• This topic was modified 1 year, 3 months ago by johannschnagl.

Just tidying some PHP warnings would changing this line:

https://plugins.trac.www.ads-software.com/browser/oauth2-provider/trunk/includes/actions.php#L93

to:

if (array_key_exists(‘path’, $url) && ( strpos( $url[‘path’], ‘oauth’ ) !== false ))

prevent an undefined array key path warning being logged? I’d submit this as a PR but couldn’t see where to do so.

oauth2-provider/includes/admin-options.php makes two calls to add_submenu_page with a null first parameter, starting on line 52. This causes a null path to be sent to various built in string functions which no longer accept null arguments (via wp_normalize_path in wp-includes/functions.php).

In PHP 8.1 this causes deprecation warnings whenever the WordPress dashboard is visited, and presumably this will cause errors in future versions of PHP. Eg.:

PHP Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated

WordPress developers have said the functions are designed only to take strings and they won’t protect against null values (https://core.trac.www.ads-software.com/ticket/58772).

Replacing the null parameters with empty strings appears to solve the problem, but I don’t know whether this may have other unexpected consequences.

Hey, I am curious what’s the deal?

The bad reviews are mostly really old, to the point they should probably be deleted, and I see two more recent 5 star reviews in the last two months.

Does the team have a commitment to the plugin?

Hello,

We have download the community version of the oauth server for its ease of use, and started to work with for our mobile app by the same name. The Oauth requests and workflow proceed falwlessly on every browser, mobile or desktop, with the exception for Safari.

I cannot get Safari to work and authenticate my users when log into the app and from the app to the browser and vise versa

On safari, I have enabled pop ups, cross-site tracking, and fully cleaned cache and website data.

For me to test whether my authentication workflow performs as it needs to, I have to be in private browsing mode. The process works in public mode but not in private

Some speedy response is appreciated because this is our first step before implementing this on a mass scale.

When I user wo_get_access_token_expires_return to modify the expiration time of the access token, it works fine as long as I set a longer lifetime. But shortening it to 2 hours or 60 seconds throws an error:

$response->setError( 400, ‘invalid_request’, ‘Invalid token’, ‘https://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-7.2&#8217;);

class-wo-api.php line 411

Is this expected behavior? I wanted to set it to only about 60 seconds to test refresh tokens.

• This topic was modified 1 year, 5 months ago by johannschnagl.

I’d like to use the Authorization Code grant type within my mobile app mostly as I still want to make use of google’s reCAPTCHA. And everything seems to work fine. Unfortunately the redirect to my custom redirect url lmrapp://login-callback doesn’t work. I’m forwarded to a blank page.

Is such a redirect url with a custom scheme supported?

When using external JWT authentication, it fails because the server is using non GMT based expiration, which IMO isn’t right. I hereby propose changing line 62 in JwtAccessToken.php to current_time( ‘timestamp’, 1) which uses correct time rather than local based time.

	public function createAccessToken( $client_id, $user_id, $scope = null, $includeRefreshToken = true ) {
		$expires = current_time( 'timestamp', 1 ) + $this->config['access_lifetime'];
		$id      = $this->generateAccessToken();

Hi.

WO_Server::wp_oauth_authenticate_bypass() which is hooked to the determine_current_user filter returns null, which is incorrect/undesirable. Similarly, class-wo-api.php:309 runs apply_filters on determine_current_user with null as the input.

Where WordPress uses determine_current_user, e.g. _wp_get_current_user(), the value passed when the user id is not known is false, and the documentation says:

@param int|false $user_id User ID if one has been determined, false otherwise.

https://github.com/WordPress/WordPress/blob/17e2eff4aa3beb2802cbec12b6f08e2fbf69893d/wp-includes/user.php#L3618

Similarly false is used/expected in wp_validate_logged_in_cookie(), wp_validate_application_password(), and wp_validate_auth_cookie().

I came across this when I had strongly typed a function I had added to the determine_current_user filter and got a 500 error when the value came from WP OAuth. It would be nice if the code were to match the WordPress convention.

Thanks.

Hi all,

Apologies but bit of a noob to WP and PHP. We are tying to use wp-oauth server pro to grant access to an application that also does a group check. We have this working well with Keycloak for oAuth2.

Looking in the client application logs it is collecting a token successfully and along with the token I can see a number of user fields;

This the the decode from the JWT;
Mar 17 13:23:30 host1 matrix-synapse[20721]: 2023-03-17 13:23:30,436 – synapse.handlers.oidc – 882 – DEBUG – GET-8063 – Userinfo for OIDC login: {‘iss’: ‘https://domain.com&#8217;, ‘sub’: ‘2’, ‘aud’: ‘kfvH04fN9rfmsp9KdfjD93s93fhaxS0BXQ2nvux2’, ‘iat’: 1612345667, ‘exp’: 1612345667, ‘auth_time’: 1612345667, ‘nonce’: ‘kfvH04fN9rfmsp9KdfjD93s93fhaxS’, ‘name’: ‘Joe Smith’, ‘family_name’: ”, ‘given_name’: ”, ‘middle_name’: ”, ‘nickname’: ”, ‘preferred_username’: ‘Joe Smith’, ‘profile’: ”, ‘picture’: ‘https://secure.gravatar.com/avatar/kfvH04fN9rfmsp9KdfjD93s93fhaxS0BXQ2nvux2=mm&r=g&#8217;, ‘website’: ”, ‘gender’: ”, ‘birthdate’: ”, ‘zoneinfo’: ‘Europe/London’, ‘updated_at’: ‘2023-03-09 11:45:14’}

What I’m trying to achieve is returning a “user_role” for the authorized user. I can see this fine when I query the /oauth/me endpoint with the user credentials.

Keycloak has been configured to send a group value back and this is working.

What is the best way to go about this please? I see there are ‘wo_scopes’ & ‘wo_set_access_token’ action hooks, should I be using one of these?

I currently have the following scopes: openid profile & and I’m using client_credentials with a appropriate user mapped.

Please any assistance is much appreciated.

When I call the website via Get parameter with token I want to be logged in automatically.

Is there a function in the framework which validates from the token and returns the user id.
Unfortunately I did not find anything.

I would have thought something like this code:
$user_id = WPO_Auth_Code::authenticate_token($_GET[‘token’]);

Here is the code how I want to realize this:

add_action(‘init’, ‘authenticate_user_with_token’); function authenticate_user_with_token() { // Check if token is present in GET parameter if (isset($_GET[‘token’])) { // Load WP OAuth Server class if (!class_exists(‘WPO_Auth_Code’)) { require_once(‘wp-content/plugins/wp-oauth-server/includes/class-wpoauth-code.php’); } // Authenticate token and get user ID $user_id = WPO_Auth_Code::authenticate_token($_GET[‘token’]); // Check if user ID is valid if ($user_id) { // Set authentication cookie for the user wp_set_auth_cookie($user_id); } } }

• This topic was modified 1 year, 8 months ago by xandreasjuenx.

The main wp-oauth.com site has issues with licenses. We have a renewed license, but the EDD license key shows expired. So we can’t download the latest security patch, 4.3.0. Also, the website looks like it’s support/ticket plugin was deactivated as the support pages and links all show just the shortcode rather than the options for support.