We are happy to tell you about our latest update to our WPO365-login plugin since we realized that we could get rid of some cookies. Instead, we now simply rely a bit more on WordPress.
Our plugin basically sits in the middle between your Office 365 tenant that is protected by Azure Active Directory and your WordPress corporate intranet or internet site that basically is protected by, ehm … itself! And since both are pretty good at this there is no reason for our plugin to do any of this itself. By no means! It should simply sit there and check for each page requested by a user whether the user is logged on to WordPress and if not decide to get help from Azure Active Directory or not. For that still some temporary cookies are needed (for example to make sure that the request was not tampered with). But once a user has successfully authenticated him or herself with Azure Active Directory there is no need to store user data in a cookie of our own.
We also added a hook to the plugin that can be used by other plugins to programmatically get additional access tokens from Azure Active Directory e.g. to request data from SharePoint Online for displaying on WordPress pages. We will soon publish a simple reference project to show you how this can be done.
Let us know if you have any questions or when the update is not working for you. Check our Support page to see how you can get in touch with us.