external=wordpress fails when OAuth2 Client Secret has expired

  • We got locked out of our WordPress instance this weekend. We did not realize that our Client Secret had expired, so the Oauth2 option we had set up stopped work. Just got a blank white screen. We then tried access by using https://www.oursite.com/wp-login.php?external=wordpress but that also failed. We resolved by uninstalling the plugin. Logging into WordPress, then re-installing the plugin while still having an active WordPress session. That allowed us to enter a new Client Secret and get the Oauth2 option back working. On our end, we need to find a way to track Client Secret expirations. But there might be a bug that prevents wp-login.php?external=wordpress from working in this type of scenario.

Viewing 1 replies (of 1 total)
  • Plugin Author Paul Ryan

    (@figureone)

    Strange. In our testing, external=wordpress still works even if the OAuth2 client secret is invalid. However, you may also have to go through the “Lost Password?” process to reset the WordPress password on your admin account so that you can log back in using WordPress credentials. If you can provide more details on what didn’t work here we can explore further!

    This is a tough case for us when credentials expire. In our testing of multiple authentication backends, we found that many will emit transient errors (like the user’s session token is out of date), so our solution (in order to cause minimal disruption for client logins) is to redirect back and attempt authentication again. In the case of expired secrets, as you found, this results in the browser eventually flagging “too many redirects” and interrupting the process with a white screen and no details on what caused it. Sadly there is no standard for what error messages are returned from the backends, so it’s hard for us to differentiate between transient “client data is out of date and needs to be refreshed” errors, and “admin credentials are expired/invalid so authentication cannot proceed” errors.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.