The setting “Don’t try to bypass (server side) cache” is not checked by default. This means that by default the plugin will always add an extra redirect before sending the user to Microsoft’s Identity Provider to prevent caching plugins and solutions from replaying an old request with a stale NONCE value, resulting in the dreaded “Your login might be tampered with.” error message. If you haven’t been affected by this issue, you can open the Miscellaneous Tab and check the box and by doing so manually disable the plugin tying to bypass server side caching.
So-called server side caching can be added to your website either by you (through plugins such as WP Rocket, W3 Total Cache or WP Super Cache) or by your hoster. This, however, presented the plugin with a problem. When server side caching is enabled – and it’s important to distinguish from client side / browser caching – the server “remembers” the output produced by a PHP script / page. Instead of processing the page, the cache basically short-circuits the page’s processing and sends the output as it remembered it from the very first time (at least since the cache was purged) the page was processed. The output produced by the WordPress + Office 365 plugin, as you probably know by now, would be a redirect to Microsoft’s so-called Identity Provider (where you as user can authenticate yourself) that in turn would send you back to your website. Unfortunately, caching would “remember” the redirect and use the exact redirect URL each time a user would navigate to the page (and didn’t already authenticate successfully prior to navigating to the page). This is very unfortunate, because the redirect URL contains a so-called NONCE (= Number used Once) that is then sent back to the website by Microsoft along with the user’s identitiy information (when the user did authenticate successfully). When the plugin receives this information it would test the NONCE value to make sure that an old request isn’t “hijacked” by someone with bad intentions who would like to break into your website. But – I’m sure you now understand what is coming – the NONCE value is no longer valid (it has become stale by now) and hence the plugin rejects the login attempt.
To work around this, the plugin has now been updated as follows. On the Miscellaneous tab you’ll find a new setting “Don’t try to bypass (server side) cache”. When checked the plugin will do nothing to prevent cache (if any) from interfering with requests to Microsoft’s Identity Provider. However, if not checked (now the default setting), the plugin will not redirect the user immediately to Microsoft’s Identiy Provider. Instead it will redirect the user to your WordPress Admin e.g. https://www.yourwebsite.com/wp-admin/?redirect_to=https://www.yourwebsite.com/the-page-you-tried-to-load-initially because most caching plugins and solutions only cache WordPress posts and pages but not content under /wp-admin. The plugin will then detect that a user tries to access the /wp-admin admin area and also detects the redirect_to information and will understand that this request should be redirected to Microsoft’s Identity Provider. This way, caching is bypassed. This solution has now been successfully tested on various “known” hosters e.g. dreamhost.com and wpengine.com.