Save Oauth2 Access Token in User Meta #155
Open
+129
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Now, the Access Token and Refresh Token are stored in the database. After login, the tokens are encrypted using the login key of the WordPress system and stored as usermeta in the database as “encrypted_token”. Before logout, the corresponding entry is removed from the metadata. The token can then be used by other plugins, e.g., for calling APIs.
Member
|
Thanks for the pull request, we'll work on reviewing it and let you know if we have any comments/questions. Since caching OAuth tokens has security implications, we'll want to do a more thorough review. Can you let us know your use case for reusing the tokens in another plugin? |
Author
|
We have an API that is secured with OAuth2. Therefore, we need the access and refresh tokens to obtain the relevant information. I thought I would share the change with you, as we have already made it. If you decide that it does not fit into your strategy, I won't be upset if you choose not to merge it. Maybe you can add a checkbox in the settings for this feature if needed. |
Updated Plugin Original
Member
|
Thanks for keeping this updated; we'll work on getting it merged in the next release cycle. These are the open chores as I see them:
|
dexit
pushed a commit
to dexit/authorizer
that referenced
this pull request
Jan 5, 2026
This commit implements full Office 365/Microsoft 365 authentication with secure token storage and profile synchronization capabilities, addressing requirements from PR uhm-coe#155, PR #2 feedback, and Issue uhm-coe#124. Features Added: - OAuth2 token storage with secure encryption using WordPress authentication keys - Microsoft 365 profile photo sync with avatar override - Additional MS365 profile fields sync (job title, department, phone, location, etc.) - Settings UI for enabling/disabling token storage and profile sync features Changes: 1. OAuth2 Settings (class-oauth2.php): - Added 'Store access token' checkbox to enable encrypted token storage - Added 'Sync profile photo' checkbox for MS365 avatar sync - Added 'Sync profile fields' checkbox for additional profile data 2. Admin Page (class-admin-page.php): - Registered new OAuth2 settings fields in admin interface 3. Authentication (class-authentication.php): - Modified OAuth2 authentication flow to include token object in returned user data - Token now passed to authorization process for storage and profile sync 4. Authorization (class-authorization.php): - Added handle_oauth2_token_and_profile_sync() method for new and existing users - Added store_oauth2_token() with secure encryption using WordPress keys - Added sync_microsoft_profile_photo() for avatar synchronization - Added sync_microsoft_profile_fields() for additional profile data - Tokens stored encrypted with LOGGED_IN_KEY and LOGGED_IN_SALT 5. Helper (class-helper.php): - Added encrypt_token() and decrypt_token() using WordPress authentication keys - Added fetch_microsoft_graph_profile_photo() for MS Graph API photo retrieval - Added fetch_microsoft_graph_profile_fields() for MS Graph API profile data - Added save_user_profile_photo() to handle photo upload and attachment creation 6. Main Plugin (class-wp-plugin-authorizer.php): - Added pre_get_avatar_data filter to override WordPress avatars with MS365 photos - Avatar automatically displays synced profile photo when available Security Improvements: - Token encryption uses WordPress LOGGED_IN_KEY and LOGGED_IN_SALT (not hardcoded keys) - Implements AES-256-CBC encryption with proper IV generation - Addresses security concerns from PR #2 review feedback - Tokens stored as encrypted user meta and can be removed on logout Profile Data Synced: - Profile photo (replaces WordPress/Gravatar avatar) - Job title, department, office location - Business phones, mobile phone - City, state, country, postal code - Company name, preferred language - User principal name All synced data stored as user meta with 'oauth2_' prefix for easy access by other plugins and themes. Tested with Microsoft Azure OAuth2 provider (Office 365/Microsoft 365).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now, the Access Token and Refresh Token are stored in the database. After login, the tokens are encrypted using the login key of the WordPress system and stored as usermeta in the database as “encrypted_token”. Before logout, the corresponding entry is removed from the metadata. The token can then be used by other plugins, e.g., for calling APIs.