Admin Access

[d3cxxxx]

If we install this plugin, is there a way we can designate some users (logging in through OIDC) as administrators/editors and others as normal users/subscribers? Are there any specifc claims/groups/roles we can use (we use Keycloak as our OP) that will automatically enable those roles to the users? If that is possible, I can totally switch to OIDC logins only and remove wp logins altogether.

Our use-case is: We have an Angular based SPA whose documentation is in this protected WP site. We use a Keycloak OP and we want all users already logged into our SPA to be able to directly navigate to this documentation page (without having to click any buttons on the WP login site like we do now). Also, we want some of the users (staff) to be able to administer and/or edit the pages/documentation.

What is the best way to achieve this?

[timnolte]

@d3c1978 yes you can accomplish this with an additional bit of code. I have done this for someone that was also using Keycloak. You can find an example repository here: https://github.com/timnolte/oidc-keycloak-sso

[d3cxxxx]

Thanks for the pointer Tim. Is this a fork of the original plugin tailored for keycloak? Or is there some config/code I should use in our installation? Sorry for the question if it was obvious.

[timnolte]

So that code is what's called a Must Use Plugin, which is dropped in the wp-content/mu-plugins directory. That is essentially what you might call and add-on for the OpenID Connect Generic plugin. The code in that Must Use Plugin leverages the hooks that are available in the OpenID Connect Generic plugin to provide the additional role mapping functionality, and in that case specifically for a Keycloak IDP.

[d3cxxxx]

Thank you. I downloaded the zip file and unzipped it into the wp-content/mu-plugins directory (btw, that directory did not exist, so I created it and unzipped the files there, but did not get any updated fields in the settings.
Anyway, I worked around the problem for now by manually designating users with their specific roles and switch the login to always use SSO.

[timnolte]

So you didn't see any changes because there is only 1 file from the repository that is supposed not be put in the Must Use Plugins directory. You can put folders in there like the regular plugins directory.

[timnolte]

There is also some documentation regarding mapping roles from an IDP to WordPress roles in the Wiki, though it is specific code for Azure Active Directory. https://github.com/oidc-wp/openid-connect-generic/wiki/Azure-AD-Role-Mapping

[f1-outsourcing]

Hi @timnolte Tim, why is this role mapping a separate module? Is this not standard in the protocols?

[f1-outsourcing]

It was not active, I moved the files like this. Now I have the extra options! :) Looking forward to testing them.

mu-plugins/
├── oidc-keycloak-custom
│   ├── composer.json
│   ├── composer.lock
│   ├── docs
│   │   ├── home.md
│   │   ├── namespaces
│   │   │   └── default.md
│   │   ├── reports
│   │   │   ├── deprecated.md
│   │   │   ├── errors.md
│   │   │   └── markers.md
│   │   └── structure.xml
│   ├── LICENSE
│   ├── package.json
│   ├── package-lock.json
│   ├── phpcs.xml.dist
│   ├── phpdoc.dist.xml
│   ├── README.md
│   └── scripts
│       └── fixHtmlToMd.php
└── oidc-keycloak-custom.php

[timnolte]

This is meant to be installed via Composer you don't need all of those files. You only need this file. https://github.com/timnolte/oidc-keycloak-sso/blob/main/oidc-keycloak-custom.php

[f1-outsourcing]

Hi @timnolte Tim, you are sure this mu-plugin still works? I can't seem to get roles mapped. I only used keycloak for a few days, so maybe I am missing some setting there. But I noticed some ui changes in keycloak, so I thought maybe the architecture changed recently. I am currently testing with idp-oidc-tester and when I refresh the token, I see the role I wanted to use. It is in realm_access.roles, not sure if that is correct.

[timnolte]

I can't really say for certain if that add-on still works. If not you'll probably have to customize it.

[f1-outsourcing]

I see this in the code $user_claim['user-realm-role'] if the 'user-realm-role' should be coming from the json token data. I think this then changed. Because this tester dumps this format

{
  "raw": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyTHlNdXpHUkZZUVpZQnY5ZEhocUpvNUdrTkRiTHlNTDlkLWtPcTdnV1F3In0.eyJleoVNUYOlm5-CJVeTein6SHN1spVDYVhq9kj6l8bzvm-gheg9f23JlhgCzXYshu08DKbTtYw25Ar7Vy7AsXeZnlKFB_vKZQst2F2FHN9Guo8x2u0u4MZWa18yqbTcqccS03tU7e700OB65HE0Q2seTiaYYly6crGIWvOnOyd4wL8RjR6MNpvRXb9bO4JE_CFPuBG_GvwRuqvDGswEzKANZwcFGwQ",
  "introspected": {
    "exp": 1731802719,
    "iat": 1731802419,
    "auth_time": 1731802388,
.
.
.
    "azp": "website-wordpress",
    "sid": "2565b056-2632-47a3-a3e5-75bc0d211950",
    "acr": "0",
    "allowed-origins": [
      ""
    ],
    "realm_access": {
      "roles": [
.
        "offline_access",
        "application-wordpress-authors",
        "uma_authorization"
      ]
    },
    "resource_access": {
      "account": {
        "roles": [
          "manage-account",
          "manage-account-links",
          "view-profile"
        ]
      }
    },
    "scope": "openid email photos profile",
    "email_verified": false,
    "name": "Test Test",

I also dumped this $user_claim object, but that does not have much data.