Introduction

Here is a summary of the latest changes to our plugins.

Change Log

9th April 2019 / wp365-login[all versions] / v7.11

  • Change: User Synchronization is now executed in asynchronous batches of 25 users each until finished to prevent a timeout exception. As soon as the asynchronous user synchronization has finished the plugin will (try and) send an email to website’s administrator (premium version only).
  • Change: When you have selected the Intranet (Authentication) Scenario, you can check the “Public Homepage” option to allow anonymous access to the WordPress frontpage i.e. your website’s home page (premium and professional version only).
  • Change: A direct link to the WPO365 Wizard has been added to the Admin Dashboard Menu.
  • Change: You can now toggle debug mode comfortably from the “Debug” tab that has been added to the plugin’s configuration wizard. The debug log can now be viewed on that tab as well and you can copy the log to the clipboard.
  • Change: The plugin now partially obscures a number of configuration secrets e.g. application ID, application secret, nonce etc.
  • Change: The plugin’s wizard has been enhanced with a number of warnings in the form of popups to provide more guidance when configuring the plugin.
  • Fix: Synchronizing external users has been improved and the user name configured by the plugin is the external user’s own email address (instead of the – sanitized – Azure AD User Principal Name) (premium version only).
  • Fix: When a user – for any reason – cannot be created, the plugin would try and log that user’s ID, causing an irrecoverable exception, which is now caught and logged adequately.

30th March 2019 / wp365-login[all versions] / v7.10

  • Fix: Stricter validation of the Error Page URL and Pages Blacklist entries to ensure that the website is not accidently added (causing the plugin to skip authentication alltogether).
  • Fix: Automatic update for the PROFESSIONAL edition failed.

28th March 2019 / wp365-login[all versions] / v7.9

  • Fix: Custom error messages were ignored due to an error with the property’s casing.
  • Change: The professional and premium version now offer a Redirect to login option that when checked will send the user to the default WordPress login form (instead of the Microsoft) and on the login form a message will inform the user that he / she can also sign into the website using his / her Microsoft Office 365 / Azure AD account (and provide a link that when clicked will sign in the user with Microsoft).

21st March 2019 / wp365-login[all versions] / v7.8

  • Fix: Auto-fix for bypassing server-side cache dind’t work as expected.
  • Change: The BASIC edition will now show an appropriate error message when user not found.
  • Change: Added a short code that can be used on a custom error page to display the plugin’s error message (professional / premium only).

19th March 2019 / wp365-login[all versions] / v7.7

  • Fix: Removed “Plugin not configured” error redirection which prevented users to logon with their WordPress-only admin account when then plugin was not yet configured.
  • Fix: (Smoke) Tested against PHP 7.3.3 and replaced deprecated create_function call.

17th March 2019 / wp365-login[all versions] / v7.6

  • Change: You can now configure an Error Page. When configured, the plugin will redirect the user to this page each time it runs into an error e.g. user not found, plugin not configured etc. If no Error Page is configured, the plugin will instead redirect the user to the default WordPress login form. The plugin will automatically skip the Error Page when authenticate a request (to avoid an infinite loop). The error code will be sent along as query string parameter and can be used to customize your own Error Page.

17th March 2019 / wp365-login[professional / premium] / v7.6

  • Change: When you change the authentication scenario to “Internet” the Pages Blacklist will be replaced by a Private Pages list. Posts and Pages added to the new Private Pages list will only be accessible for authenticated users. If the user is authenticated, the plugin will try and sign in the user with Microsoft.
  • Fix: Added MIME Type and Content Headers to the New User Notification email template..

3rd March 2019 / wp365-login[professional / premium] / v7.5

  • Change: The plugin can now be configured to send a (customizable) new user registration email.

3rd February 2019 / wp365-login[ all versions] / v7.4

  • Fix: If a user is not manually registered prior to trying to sign into the WordPress site with Microsoft, the user would end up in an infinite loop (only impacts basic version).
  • Fix: Remove crossorigin from Pintra Fx template since this was causing an issue downloading react files from UNPKG CDN.

3rd February 2019 / wp365-login[ all versions] / v7.3

  • See Important Upgrade Notice v7.3
  • Fix: A new setting Don’t try bypass (server side) cache on the Miscellaneous Tab now controls whether the plugin will try and bypass the server side cache by redirecting the user first to /wp-admin before redirecting the user to Microsoft’s Identity Provider.
  • Fix: A new global constant WPO_MU_USE_SUBSITE_OPTIONS allows administrators of a WordPress multisite network to toggle between a shared scenario in which all subsites in the network share the same Azure AD application registration and a dedicated scenario in which all sites in the network will have to be configured individually.

17th January 2019 / wp365-login[ all versions ] / v7.2

  • Fix: Missing namespace import causing server error when user cannot be added successfully [professional, premium]

17th January 2019 / wp365-login[ all versions ] / v7.1

  • Change: Now the plugin can redirect users based on their Azure AD Group Membership [premium]
  • Fix: User synchronization would not work correctly with Graph Version set to beta
  • Fix: Added support for wp_login hook
  • Fix: Lowered priority when hooking into the wp_authenticate hook

15th January 2019 / wp365-login-premium / v7.0

14th January 2019 / wp365-login / v7.0

13th December 2018 / wp365-login-premium / v5.3

  • Change: Extra user fields will now show on a BuddyPress profile page as Directory Info
  • Change: User synchronization will never update a user that is an administrator (the option *Do not update existing admins* has been deleted)
  • Fix: User synchronization does not work for WordPress Multisite
  • Fix: User synchronization for WordPress Multisite should only be available for the main (root) site

5th December 2018 / wp365-spo-premium / v2.0

  • Change: The app is now a Pintra Framework app and uses the new AJAX token service from the wpo365-login plugin
  • Change: Added a Pintra Framework shortcode generator – Now it’s a breeze to configure the app

5th December 2018 / wp365-login-premium / v5.2

  • Change: Removed the (Redux) WPO365 Option for scope
  • Change: Support for Azure AD v2.0 authentication and access token requests (preview, more information will follow in a separate upcoming post)
  • Change: Updated the access token (AJAX) service API to support Azure AD v2.0 scope based token requests
  • Change: Authorization, access and refresh codes and tokens are now stored as JSON encoded classes
  • Change: Previously deprecated methods have been removed (other / third party plugins and apps must integrate using the API now)

4th December 2018 / wp365-login / v6.1

  • Change: Removed the (Redux) WPO365 Option for scope
  • Change: Support for Azure AD v2.0 authentication and access token requests (preview, more information will follow in a separate upcoming post)
  • Change: Updated the access token (AJAX) service API to support Azure AD v2.0 scope based token requests
  • Change: Authorization, access and refresh codes and tokens are now stored as JSON encoded classes
  • Change: Previously deprecated methods have been removed (other / third party plugins and apps must integrate using the API now)

4th December 2018 / wp365-spo/ v2.0

  • Change: The app is now a Pintra Framework app and uses the new AJAX token service from the wpo365-login plugin
  • Change: Added a Pintra Framework shortcode generator – Now it’s a breeze to configure the app

18th November 2018 / wp365-login-premium / v5.1

  • Fix: Msft_Graph::fetch may return WP_Error and the avatar function was not handling this correctly

16th November 2018 / wp365-login-premium / v5.0

  • Change: A configuration option has been added to always redirect a user to a designated page upon signin into the website
  • Change: A client (side) application can now request an oauth access token for any Azure AD secured resource e.g. Graph and SharePoint Online
  • Change: A configuration section has been added to configure / disable the aforementioned AJAX service for Azure AD oauth access tokens
  • Change: A Configuration section has been added that allows administrators to define custom login error messages
  • Change: Refresh tokens e.g. for Graph and SharePoint Online are now set to expire after 14 days
  • Change: The plugin will now cache the Microsoft signin keys used to verify the incoming ID token for 6 hours to improve overall performance
  • Change: The flow to obtain access tokens has been refactored and greatly simplied (existing methods have been marked deprecated)
  • Fix: Dynamic role assignment will not add default role when user has existing role(s)

16th November 2018 / wp365-login / v6.0

  • Change: A configuration option has been added to always redirect a user to a designated page upon signin into the website
  • Change: A client (side) application can now request an oauth access token for any Azure AD secured resource e.g. Graph and SharePoint Online
  • Change: A configuration section has been added to configure / disable the aforementioned AJAX service for Azure AD oauth access tokens
  • Change: A Configuration section has been added that allows administrators to define custom login error messages
  • Change: Refresh tokens e.g. for Graph and SharePoint Online are now set to expire after 14 days
  • Change: The plugin will now cache the Microsoft signin keys used to verify the incoming ID token for 6 hours to improve overall performance
  • Change: The flow to obtain access tokens has been refactored and greatly simplied (existing methods have been marked deprecated)
  • Fix: Dynamic role assignment will not add default role when user has existing role(s)

21st October 2018 / wp365-spo-premium / v1.1

  • Fix: Access token will only be requested on pages where the app is added using the shortcode
  • Fix: Don’t delete plugin version number each time the plugin is loaded
  • Refactoring: Standardized the naming of the user meta key used to cache the access token
  • Refactoring: Reduced the number of dependencies on the wpo365-login plugin

21st October 2018 / wp365-spo / v1.3

  • Fix: Access token will only be requested on pages where the app is added using the shortcode
  • Fix: Don’t delete plugin version number each time the plugin is loaded
  • Refactoring: Standardized the naming of the user meta key used to cache the access token
  • Refactoring: Reduced the number of dependencies on the wpo365-login plugin

8th October 2018 / wp365-spo / v1.2

  • Fix: item path property was wrongly set to author

4th October 2018 / wp365-login-premium / v4.6

  • Change: Pages Blacklist can now include query string parts e.g. “?api=” but administrators need to be aware that this can potentially weaken overall security read more

4th October 2018 / wp365-login / v5.3

  • Change: Pages Blacklist can now include query string parts e.g. “?api=” but administrators need to be aware that this can potentially weaken overall security read more

27th September 2018 / wp365-login-premium / v4.5

  • Fix: user_nicename – a WP_User field that is limited to 50 characters – was wrongly set to a user’s full name which under circumstances prevented a user from being created successfully

27th September 2018 / wp365-login / v5.2

  • Fix: user_nicename – a WP_User field that is limited to 50 characters – was wrongly set to a user’s full name which under circumstances prevented a user from being created successfully

4th September 2018 / wp365-login-premium / v4.4

  • Fix: Change PHP language construct to restore compatibility with PHP 5.3.29

4th September 2018 / wp365-login-premium / v4.3

  • Change: An extra configuration option has been added to instruct the plugin to only try and add the default role if no other role(s) could be assiged i.e. no valid Azure AD to WordPress role mapping exists for that user
  • Fix: Check before redirecting whether headers are sent and if yes the plugin now falls back to an alternative method to redirect

30th August 2018 / wp365-login/ v5.1

  • Fix: When searching for O365 users search both in email and login name
  • Fix: Check before redirecting whether headers are sent and if yes falls back to an alternative method to redirect
  • Fix: search_columns argument for WP_User_Query must be an array

22nd August 2018 / wp365-login-premium / v4.1

  • The User Synchronization job will now show additionally a list of existing WordPress users with an Office 365 account
  • When running User Synchronization you can choose to update existing WordPress users – if properly configured – the plugin will retrieve 1) additional user information from Microsoft Graph and 2) evaluate the Office 365 Azure AD Security Groups to WordPress roles mappings (and assign new roles when needed)
  • For the User Synchronization to be able to retrieve Office 365 Azure AD Security Group information for a user the permissions for the corresponding Azure AD Application Registration must be updated (see online documentation here)
  • When creating new WordPress by either running a User Synchronization job or by manually clicking Create – if properly configured – the plugin will retrieve 1) additional user information from Microsoft Graph and 2) evaluate the Office 365 Azure AD Security Groups to WordPress roles mappings (and assign new roles when needed)
  • The plugin is now capable of assigning multiple roles to a user and when doing so it will either first delete any existing roles before assigning new ones or instead preserve existing roles prior to adding new ones
  • The setting Update user role has been deprecated and instead the plugin will always try to update the user’s role in one of two possible modes: “add” (default) or “replace”
  • The plugin offers a new setting User role update scenario that let’s you choose between replacing all existing roles with new ones or instead only add any possible new roles (default behaviour)
  • Now that the plugin is capable of assigning multiple roles it will always (at least) add the default role for the main site as per configuration before adding any applicable roles as per Office 365 Azure AD Security Group to WordPress role mappings
  • The HTML template for the Sign in with Microsoft shortcode can be customized in the shortcode body (see documentation)
  • When the premium plugin is activated it will check whether the “personal blog / free” version is still activated and if yes try and deactivate it

10th August 2018 / wp365-login-premium / v4.0

  • Administrators can now configure which additional Office 365 user fields should be retrieved from Microsoft Graph and what the corresponding field title is in WordPress
  • Additional Office 365 user fields e.g. Job Title, Mobile Phone etc. are now editable by a user (when this user has sufficient permissions to update his or her WordPress profile in the first place) and those changes are not synchronized back to Office 365 Azure AD
  • Use a WordPress shortcode wpo365-sign-in-with-microsoft-sc to place a login link on your site wherever you want
  • When synchronizing users with Office 365 Azure AD the plugin will try and retrieve additional user information immediately
  • Now you can supply a list of semi-colon separated own domains (e.g. “wpo365.com;wp-o365.com”) to support enterprises that have mapped multiple domains to their Office 365 tenant
  • Select the preferred Microsoft Graph version i.e. v1.0 or beta (which is experimental but returns – for example – more user fields)
  • Moved the JWT class into the Wpo namespace (to avoid class loading issues)
  • Added psr-4 type auto class loading
  • Code refactoring to allow for the SharePoint Online Plugin and other extensions to re-use existing code base

10th August 2018 / wp365-login/ v5.0

  • Moved the JWT class into the Wpo namespace (to avoid class loading issues)
  • Added psr-4 type auto class loading
  • Code refactoring to allow for the SharePoint Online Plugin and other extensions to re-use existing code base

10th August 2018 / wp365-spo-premium/ v1.0

10th August 2018 / wp365-spo/ v1.0

  • The plugin has been fully modernized and re-written from the ground up to better intergrate with the other WPO365 plugins for user authentication, registration and synchronization
  • Using the short code [wpo365-content-by-search-sc] any page can be turned into a SharePoint Online Search Center
  • Support for incremental searching

24th June 2018 / wp365-login-premium / v3.2

15th June 2018 / wp365-login-premium / v3.1

8th June 2018 / wp365-login-premium / v3.0

Version 3.0 adds Azure AD user synchronization as a new feature.
  • The ability to quickly rollout new users to WordPress from Active Directory
  • Disable user access to WordPress for users that are disabled in your tenant / domain

6th June 2018 / wp365-login-premium / v2.4

  • Added an option to force WordPress to sent no-cache headers when the global variable WPO_NOCACHE has been defined and set to true e.g. define( 'WPO_NOCACHE', true );
  • Fixed an issue where the plugin tried to read the session duration from a global variable without a fallback option to a Redux variable causing unnecessary token refresh roundtrips
  • Fixed a minor bug where the plugin not checked whether an error occurred when creating a new WP user

23th May 2018 / wp365-login-premium / v2.3

  • Added plugin update checker. Please add a new wp-config.php setting  WPO_LOGIN_DOWNLOAD_LINK or when using Redux, please visit WPO365 Options > Downloads > wpo365-login download link and copy the download link you have received when purchasing the plugin
  • Fixed an issue with array function dereferencing
  • Removed email settings
  • Minor refactoring

14th May 2018 / wp365-login-premium / v2.2

  • Fixed an issue in the Auth class (line 96) where the PHP language construct empty() was given a function but it can only handle variables

10th May 2018 / wp365-login-premium / v2.1

  • Fixed an issue with the Aure AD Groups Whitelist – When an Azure AD Groups Whitelist was configured, a user was required to be a member of all groups rather than just one
  • Added license file
  • Updated README

8th May 2018 / wp365-login / v4.0

  • Added license validation for the Personal Blog (free) version, in order to prevent the creation of more than 3 users (unlimited users can still be created manually).

6th May 2018 / wp365-login / v3.13

  • New information banner on wpo365-options page.

5th May 2018 / wp365-login-premium / v2.0

  • Enhances a user’s profile with additional fields from Microsoft Graph (mobilePhone, businessPhones, officeLocation, jobTitle)
  • New WP_CONFIG settings WPO_GRAPH_USER_DETAILS (true|false) to enable|disable retrieving and showing additional user fields from Microsoft Graph
  • Fixed an issue with the avatar always showing the profile picture from the current user
  • Fixed an issue when retrieving global boolean variables that were set to false
  • Fixed an issue when exploding an empty string which returned a non-empty array

4th May 2018 / wp365-login-premium / v1.7

  • Replaced array construct to remain compatibel with older PHP versions
  • Now the plugin decides to prepend https to the state property based on the protocol used for the redirect url. Some WordPress hosters use SLL terminating proxies, causing default WordPress SSL detection to fail. This may cause the plugin to redirect the user after login to the wrong website address starting with http instead of https and this eventually may lead to the user being caught in an infinite authentication loop.
  • Simplified the nonce algorithm

3rd May 2018 / wp365-login / v3.12

  • Now the plugin decides to prepend https to the state property based on the protocol used for the redirect url. Some WordPress hosters use SLL terminating proxies, causing default WordPress SSL detection to fail. This may cause the plugin to redirect the user after login to the wrong website address starting with http instead of https and this eventually may lead to the user being caught in an infinite authentication loop.
  • Simplified the nonce algorithm.

30th April 2018 / wp365-login / v3.11

  • * Replaced array construct to remain compatibel with older PHP versions.

26th April 2018 / wp365-login-premium / v1.6

  • Replaced the nonce algorithm to try and minimize “Your login has been tampered with” security warning
  • New WP_CONFIG setting WPO_NONCE_SECRET
  • Fixed error related to callback for destroy_wpo365_session action

26th April 2018 / wp365-login / v3.10

  • Replaced the nonce algorithm to try and minimize “Your login has been tampered with” security warning

24th April 2018 / wp365-login-premium / v1.5

  • Prevent email and password changes exclusively for Office 365 users only
  • Forward any manual login request from an Office 365 user to Microsoft
  • new WP_CONFIG settings WPO_CUSTOM_DOAMIN (string), WPO_DEFAULT_DOMAIN (string), WPO_INTERCEPT_WP_LOGIN (true|false) and WPO_GOTO_AFTER_SIGNON_URL (string)

17th April 2018 / wp365-login-premium / v1.4

  • Replaces a user’s default WordPress avatar with the Office 365 (O365) profile picture and caches it
  • New WP_CONFIG settings WPO_USE_AVATAR (true|false) and WPO_AVATAR_REFRESH (1296000)

15th April 2018 / wp365-login-premium / v1.3

  • Bug / Fixes

15th April 2018 / wp365-login-premium / v1.2

  • Added a configurable leeway time to account for clock skew when checking the id token validity
  • New WP_CONFIG setting WPO_LEEWAY (300)

15th April 2018 / wp365-login-premium / v1.1

  • Limit access by Office 365 or Azure AD Security Group (new WP_CONFIG setting WPO_GROUPS_WHITELIST)
  • Allow creating mappings between Office 365 or Azure AD Security Groups (new WP_CONFIG setting WPO_GROUP_MAPPINGS)

1st April 2018 / wp365-login-premium / v1.0

  • Initial version (based on wp365-login free version)