Add option to do full logout

Adds a new option to perform a full logout of Azure AD when logging out of WordPress. Fixes #163 and fixes #184.
psignoret · Apr 6, 2018 · 4da5465 · 4da5465 · bradkovach · Apr 6, 2018
1 parent 137ff4a
commit 4da5465
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 1 deletion.
diff --git a/Settings.php b/Settings.php
@@ -104,6 +104,13 @@ class AADSSO_Settings {
 	 */
 	public $default_wp_role = null;
 
+	/**
+	* Indicates whether a logout of WordPress should also trigger a logout of Azure AD.
+	*
+	* @var boolean Whether or not logging out of WordPress triggers logging out of Azure AD.
+	*/
+	public $enable_full_logout = false;
+
 	/**
 	 * @var string The OpenID Connect configuration discovery endpoint.
 	 */

diff --git a/SettingsPage.php b/SettingsPage.php
@@ -248,6 +248,14 @@ public function register_settings() {
 			'aadsso_settings_page', // page
 			'aadsso_settings_general' // section
 		);
+
+		add_settings_field(
+			'enable_full_logout', // id
+			__( 'Enable full logout', 'aad-sso-wordpress' ), // title
+			array( $this, 'enable_full_logout_callback' ), // callback
+			'aadsso_settings_page', // page
+			'aadsso_settings_general' // section
+		);
 
 		add_settings_field(
 			'field_to_match_to_upn', // id
@@ -374,6 +382,7 @@ public function sanitize_settings( $input ) {
 			'enable_auto_forward_to_aad',
 			'enable_aad_group_to_wp_role',
 			'match_on_upn_alias',
+			'enable_full_logout',
 		);
 		foreach ( $boolean_settings as $boolean_setting )
 		{
@@ -646,6 +655,17 @@ public function openid_configuration_endpoint_callback() {
 		);
 	}
 
+	/**
+	 * Renders the `enable_full_logout` checkbox control.
+	 */
+	public function enable_full_logout_callback() {
+		$this->render_checkbox_field(
+			'enable_full_logout',
+			__( 'Do a full logout of Azure AD when logging out of WordPress.',
+				'aad-sso-wordpress' )
+		);
+	}
+
 	/**
 	 * Renders a simple text field and populates it with the setting value.
 	 *

diff --git a/aad-sso-wordpress.php b/aad-sso-wordpress.php
@@ -83,7 +83,7 @@ public function __construct( $settings ) {
 		add_action( 'login_form', array( $this, 'print_login_link' ) ) ;
 
 		// Clear session variables when logging out
-		add_action( 'wp_logout', array( $this, 'clear_session' ) );
+		add_action( 'wp_logout', array( $this, 'logout' ) );
 
 		// If configured, bypass the login form and redirect straight to AAD
 		add_action( 'login_init', array( $this, 'save_redirect_and_maybe_bypass_login' ), 20 );
@@ -348,6 +348,10 @@ function authenticate( $user, $username, $password ) {
 			);
 		}
 
+		if ( is_a( $user, 'WP_User' ) ) {
+			$_SESSION['aadsso_signed_in_with_azuread'] = true;
+		}
+
 		return $user;
 	}
 
@@ -563,6 +567,21 @@ function clear_session() {
 		session_destroy();
 	}
 
+	/**
+	 * Clears the current the session, and triggers a full Azure AD logout if needed.
+	 */
+	function logout() {
+
+		$signed_in_with_azuread = isset( $_SESSION['aadsso_signed_in_with_azuread'] ) 
+									&& true === $_SESSION['aadsso_signed_in_with_azuread'];
+		$this->clear_session();
+
+		if ( $signed_in_with_azuread && $this->settings->enable_full_logout ) {
+			wp_redirect( $this->get_logout_url() );
+			die();
+		}
+	}
+
 	/*** Settings ***/
 
 	/**