someone fork wp-openid and maintain it (or take a existing openid plugin). I have not looked yet at what exist.
move to another protocol (SAML, IndieAuth, etc). I already done that for another blog, and it was a bit painful due to the current hosting platform blocking the exact URL used by the plugin (so I have a gory workaround)
So if someone has a creative solution or a preference, please do not hesitate to share it.
I’m not really all that familiar with the inner workings of the FAS authentication stack. I don’t have any ideas or preferences. Thanks for the heads up that things might be breaking in the near future. My only request would be that you try to avoid breaking things around release time.
someone fork wp-openid and maintain it (or take a existing openid plugin). I have not looked yet at what exist.
We want to move away from openid. keycloak doesn’t support it, and we
want to move to that from ipsilon)
move to another protocol (SAML, IndieAuth, etc). I already done that for another blog, and it was a bit painful due to the current hosting platform blocking the exact URL used by the plugin (so I have a gory workaround)
So if someone has a creative solution or a preference, please do not hesitate to share it.
OIDC would be best, but failing that SAML should work…
There are two widely used OIDC/OAuth2 plugins for wordpress. One is opensource, another one is partially opensource. I think the opensource one should be fine for our purposes. I think it is now moved to OpenID Connect Generic WordPress · GitHub organization.
In order to test, I need to upgrade the stg instance. However, it seems to be stuck on a older version despites auto upgrade (and now show a error). I will try to fix it, but in the mean time, the stg blog is not functional (not sure if that’s due to some upgrade or if I broke it)
I moved prod to stg (made a copy), but like last time, Jetpack complained. I think I didn’t break it , but if Jetpack is broken on the blog, please tell me so I can take a look.
I added the plugin suggested by @abbra and opened a ticket for the secret. For now, I am testing on the community blog stating, but once that’s done, I will move the others blogs one by one and warn in advance.
Fedora Magazine is still on 6.6.1 and I disabled the automated update on that site (I can’t easily revert on Fedora Comblog for now), so that should be fine for now.
@arrfab and I were able to get the OIDC plugin working when we tested last week, so fixing is just a question of managing to move the less than 1 Kb of random data used as secret from one server to my computer so I can paste it in the right place. I will open a new ticket tomorrow for the prod instance.
It was a automated update, so I can’t really take credit for the experiment, I can just add my name as advisor. The automated verification check if the website work and revert if it fail but this doesn’t prevent error on login, I guess that’s what happened.
Thanks to @zlopez prompt key sending, I was able to fix it and it should now be working.
Currently, prod is fixed, stg will be deal later, and then fedora magazine.
The new system automatically redirect you to FAS, with the annoying side effect that if you log out, it will redirect you to FAS and log you again. That’s just a setting (“add a button for login” vs “redirect to SSO automatically”), not sure which one is better. I prefer the redirect and auto-login, this seems more intuitive, but I am not the one using the blog.