Callback URL - Social Logins - wordpress

Can someone explain what the Callback URL is and what exactly it's used for?
I'm setting up Social login for my WordPress website and in Facebook and Twitter it asks for a callback URL.
At the moment i have left these blank and it works fine but was wondering what exactly are they used for?
I've read on other websites that it should be set like this:
http://mywebsite.com/user/facebook/login
But I don't understand what to use it for.
Is it to redirect the user to your site after they login via their social accounts? If that's the case, doesn't it do that without a callback URL?

Is it to redirect the user to your site after they login via their social accounts?
Yes.
If that's the case, doesn't it do that without a callback URL?
How would it know where to redirect back to, if that information wasn’t passed to it in the first place?
The callback URL is passed as a parameter in the login dialog call. That allows the login provider to a) redirect back to the app, and b) check if the app is even allowed to perform login under that URL.

Related

Make Chrome Extension detect if user is logged in on my Wordpress website

I have a Wordpress website and a Chrome Extension. If the user logs in on the website, I want the Chrome Extension to be aware of that (and vice-versa). The Chrome Extension won't have a login form in it; the user will always log in through the website login form.
When you log in on the website, Wordpress by default sets its authentication cookies to identify the user. What I initially had in mind: I would also like to return some kind of access token, which I would store somewhere where the extension can find it and use it to make authenticated requests to the Wordpress REST API. But.. where do I store it (in a safe manner) so I can find it within the extension?
Perhaps I should try a different approach?
Thank you!
What you could do, the simpler way:
create an Ajax action or a REST API route
as you can read in the documentation, the authentication is cookie-based. So once the user is logged in from the WordPress login form, the authentication cookie is added to your browsing session
without overrides, the cookie will also be forwarded when using JS HTTP queries (eg ajax)
your route could check something like is_user_logged_in() or wp_get_current_user() like available methods. And return the result (among other things if needed) to your plugin JS
you may need to change the WordPress cookie configuration, so they can be accessed from anywhere (any domain), check this.
Better way:
would be to use a plugin like this to implement REST API Oauth2 authentication
user should be able to login directly from the extension window (need development), and then use a refresh token feature to keep the user logged in.
I believe you may also need to update your actual login form, if its classic or OAuth rest API login, should be able to send back the required OAuth token (access and refresh tokens), to the frontend (then stored in local storage or else) to be used by the extension. To prevent having to log in twice.

Universal Analytics and login redirect

As part of user flow on my site, user is redirected to a different domain that is not under my control, where he logs in and is then redirected back to my site.
Google analytics fail to correctly display the user flow, showing the callback URL as a new landing page, which is obviously wrong.
I am considering rewriting referrer on the callback page, but it seems like a very hacky solution to a common problem.
Is there a standard way to connect the flow after a redirect?
You must enter the domain of that site in the Referral exclusions list in the Properties settings.

How to register a centralized application with multiple deployments with Azure AD for Single Sign On

So I am implementing this single sign on feature using Azure AD as the authentication provider. My question is : is it possible to register just one centralized application for potentially multiple deployments?
doc
single sign out
I also want this single sign out feature. i.e. if a user log out of his/her outlook account, my app will react to it and also perform a logout.
The doc specify that I need to set the LogoutUrl field in AAD and do the implementation. The problem is I can only fill out one LogoutUrl for each registered application. I tried move this logout url to the reply urls but the endpoint will not fire.(only work when filled in the logout url field)
Scenario: I have one core app for potentially multiple deployments, and they all have their unique urls.
abc.com
abc1.com
abc2.com
The list will go longer, so it is painful if I need to set up the application for each one. Can I get around by just setting one centralized app?
For the redirect url I think I can set up multiple reply urls. Or can I?
The difficult part is the logouturl: AAD only allow to set up one value, so I need to set up a centralized endpoint (logout.com/logout) to receive the logout call, and then redirect the call to the associated deployment. ( a user log out from abc.com, logout.com/logout is fired, it will then need to identify that the logout happens in abc.com, then it direct the call to abc.com so abc.com can receive and perform cleanups.)
For Azure Active Directory, you can have reply urls spanning multiple domains. So that works. You can also use these reply urls as part of your logout process. The logout url setting is optional, as far as I know.
https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}
(How to signout from an Azure Application?)
Remark: Azure AD B2C only supports reply urls within a single domain.
Edit: It seems I misunderstood your question. Do you want a redirect to abc.com when the user logs out from abc.com? use the redirect url. Do you want to clear the session in abc.com, abc1.com, abc2.com when the user logs out from abc.com? This is more tricky since AAD opens up your logout url in an hidden iframe (=> "Front-channel signout", a GET to the designated URL). If you want this to actually clean up all your domains, you need to get creative... not sure what the best way ist. You could try returning HTML that in itself has iframes to all the domains.. but i don't know if it will be properly evaluated.

Facebook request got redirect

Currently my client have 2 websites, for example: abc.com and us.abc.com. They want that everytime an user from US access abc.com, he/she will be redirected to us.abc.com. That can be solved very easy, however after solved that issue, I have ran into another issue related to Facebook.
That's when an user browse abc.com and they click share facebook button somewhere in the website, what was shared is always what appear in the home page of us.abc.com.
What I think is that because Facebook server is in US, so when facebook made the request, it was redirected to us.abc.com => Cause the issue.
Are there anyway to white list facebook request and skip it from the redirect rule ?
Yes, you can detect that Facebook is making a request. You can do this by using the request headers, as explained in the question How to recognize Facebook User-Agent
.
Based on those user-agent strings, you can decide wether to redirect.

Why isn't my LinkedIn API authorization method working?

I'm following the authorization instructions but I can't figure out how it's supposed to work. I'm sending a request to https://www.linkedin.com/uas/oauth2/authorization, and passing the required fields. The call succeeds and returns some authorization html, which I display, and it looks like this:
But the form containing the Allow Access button has an action of /uas/oauth2/authorizedialog/submit, and so clicking it fails, because there's no domain specified. Clearly it's supposed to be displaying some sort of authorization on the LinkedIn site, not my own. What am I doing wrong?
Argh, what I was doing wrong was trying to download the contents of the authorization url page, instead of simply redirecting to it. Redirecting to it does open the page on their site, and I can authorize, and then be redirected back to my own callback.

Resources