UMich OIDC Login plugin for WordPress

UMich OIDC Login is a WordPress plugin that allows users to log in to a WordPress website and/or the site's WordPress administration dashboard using OpenID Connect (OIDC). Users' group membership information sent via OIDC can be used to restrict who can access various parts of the website (including the whole website).

Quick links

• Get started / install instructions

  (cloning the GitHub repository or downloading the source code will not work)

• Features

• Frequently Asked Questions

• Report a bug, get help, or request a feature: Open a GitHub issue or email webmaster@umich.edu

• Build the plugin from source or contribute to the code: read CONTRIBUTING.md

Features

• Allows site visitors to log in via OIDC without needing a WordPress user account.
• Allows or requires WordPress users to log in via OIDC instead of using their WordPress password.
• Can restrict access based on whether the user is logged in via OIDC, and whether they logged-in user is a member of one or more groups
  • Can restrict access to the entire site.
  • Can restrict access to specific pages and posts.
  • Can show content within a page/post/widget only to users meeting certain criteria.
• Access restrictions apply to site visitors, feeds, the REST API, and XMLRPC.
• Search results from WordPress' built-in search only shows content that the searching user has access to.
  • WARNING: Third-party WordPress search plugins may show content that the user does not have access to, leaking private information. Please test search plugins for this before enabling them.
• Shortcodes (Gutenberg blocks planned for a future release)
  • umich_oidc_button - Generate a login or logout button.
  • umich_oidc_link - Generate a login or logout link.
  • umich_oidc_logged_in - Show content only if the visitor is logged in.
  • umich_oidc_member - Show content only if the visitor is a member of one or more groups.
  • umich_oidc_not_logged_in - Show content only if the visitor is NOT logged in.
  • umich_oidc_not_member - Show content only if the visitor NOT a member of the specified groups.
  • umich_oidc_url - Generate a login or logout URL.
  • umich_oidc_userinfo - Display information about the currently-logged-in OIDC user.
• Supported / tested OIDC providers:
  • Shibboleth OIDC using the edumember_ismemberof attribute for LDAP group membership.

Install

Requirements

• WordPress 6.0 or later
• PHP 7.3 or later
• Client credentials for a supported OIDC provider (for example, Shibboleth OIDC)

Install steps

1. (Recommended but not required) Install the WordPress Native PHP Sessions plugin from the WordPress.org plugin repository or by uploading the files to your web server. For details, see How to Install a WordPress Plugin. UMich OIDC Login strongly recommends using the WordPress Native PHP Sessions plugin to prevent conflicts with other WordPress plugins that also use PHP sessions, and to ensure correct operation when the site resides on multiple web servers.
2. Install the UMich OIDC Login plugin from GitHub. This plugin is not available through wordpress.org. Use one of the following methods of installing the plugin:
   1. WP Admin Dashboard Method: This requires that your site has write access to the plugins folder:
      1. Download the umich-oidc-login.zip file using the link https://github.com/its-webhosting/umich-oidc-login/releases/latest/download/umich-oidc-login.zip
         • Important: if you download the plugin via the releases page, make sure you do not download the source code. The source code has to be built before it can be used on a site.
      2. Go to the WordPress admin dashboard -> Plugins -> Add New -> Upload Plugin
      3. Select the zip file you downloaded and click Upload
      4. Activate the plugin
   2. Manual Method:
      1. Download the umich-oidc-login.zip file fusing the link https://github.com/its-webhosting/umich-oidc-login/releases/latest/download/umich-oidc-login.zip
         • Important: if you download the plugin via the releases page, make sure you do not download the source code. The source code has to be built before it can be used on a site.
      2. Extract the contents of the zip file onto your computer
      3. Use SFTP or a similar method tp load the umich-oidc-login folder from your computer to the wp-content/plugins/ folder in your site. The final location should be wp-content/plugins/umch-oidc-login
      4. Activate the plugin using the WordPress admin dashboard
   3. WP CLI Method: (if you have the wp command installed):

      wp plugin install https://github.com/its-webhosting/umich-oidc-login/releases/latest/download/umich-oidc-login.zip --activate

3. Activate both the WordPress Native PHP Sessions and the UMich OIDC Login plugins through the 'Plugins' menu in WordPress.
4. Under the Settings menu in WordPress, navigate to "UMich OIDC Login" and then click on the "OIDC" tab. Make a note of the Redirect URI value for use when registering an OIDC client for your WordPress site.
5. Register an OIDC client for your WordPress site. On the OIDC tab of the UMich OIDC Login settings page, fill in the information you got when registering your client. At a minimum, this will be the Identity Provider URL, Client ID, and Client Secret. Click the "Save Changes button".
6. You can now use the settings on the General tab to control access to the website, as well as login and logout behavior. You can restrict access to individual posts and pages by editing them and changing their document settings. You can also use shortcodes from the Shortcodes tab in your theme and/or website content. Adding the following shortcodes to your theme will display a greeting and a login/logout button.

Hello, [umich_oidc_userinfo type="given_name" default="stranger"]
[umich_oidc_button]

For more details, refer to the documentation from the University of Michigan.

Screenshots

Log in and log out without a WordPress user account

Visitors can log in via OIDC without needing a WordPress user account. UMich OIDC Login gets information about logged-in visitors from the OIDC Identity Provider.

WordPress user account log in page

The plugin can be configured to let WordPress users log in to WordPress using either OIDC or their WordPress username and password.

The plugin can also be configured to use only OIDC for logging in to WordPress.

General settings

Control what happens when visitors/users log in and log out.

OIDC settings

Use group information obtained through OIDC to control access to the website.

Shortcodes

Use shortcodes to control who sees which things within pages, posts, and themes.

Access control metabox

Use group information obtained through OIDC to control access to individual posts and pages.

Frequently Asked Questions

Why do I have to enter all groups the site uses on the settings page?

For privacy reasons, UMich OIDC Login is currently designed to work with OIDC Identity Providers that restrict which groups can be used for to share membership information with websites. Only the official names of groups can be used; aliases will not work. Entering the official group names allows content authors to select the groups from a dropdown list, making things easier and preveting many errors.

Help! OIDC stopped working and now I can't log in to my WordPress dashboard!

Use WP CLI to turn off OIDC for WordPress users:

wp option patch delete umich_oidc_settings use_oidc_for_wp_users

You should then be able to log in to WordPress using your WordPress username and password for your website.

Or, completely turn off the UMich OIDC Login plugin. WARNING: deactivating the plugin will make any restricted content you have publicly viewable.

wp plugin deactivate umich-oidc-login

If you don't remember your WordPress user account password, you can set a new one:

wp user update YOUR-WORDPRESS-USERNAME --user_pass="PUT-YOUR-NEW-PASSWORD-HERE"

How can I report an issue, get help, request a feature, or help with plugin development?

Open a GitHub issue or email webmaster@umich.edu

Copyright and license information

Copyright (c) 2022 Regents of the University of Michigan.

This file is part of the UMich OIDC Login WordPress plugin source code.

UMich OIDC Login is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

UMich OIDC Login is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with UMich OIDC Login. If not, see https://www.gnu.org/licenses/.