Solved bug existed due to difference between mailu domain and hostname difference. also refactored during this to find the bug

2025-08-29 15:06:26 +02:00 · 2025-08-16 14:29:07 +02:00
parent 1bed83078e
commit 0de26fa6c7
76 changed files with 543 additions and 487 deletions
--- a/roles/web-app-wordpress/vars/oidc.yml
+++ b/roles/web-app-wordpress/vars/oidc.yml
@@ -3,12 +3,12 @@
 # @see https://github.com/oidc-wp/openid-connect-generic/blob/develop/includes/openid-connect-dev-option-settings.php

 oidc_settings:
-  client_id:                "{{ oidc.client.id }}"                                                # The client ID that identifies WordPress as the OIDC client.
-  client_secret:            "{{ oidc.client.secret }}"                                            # The secret key used by WordPress to authenticate to the OIDC provider.
-  endpoint_login:           "{{ oidc.client.authorize_url }}"                                     # URL of the authorization endpoint to initiate the login flow.
-  endpoint_token:           "{{ oidc.client.token_url }}"                                         # URL of the token endpoint for exchanging authorization codes for tokens.
-  endpoint_userinfo:        "{{ oidc.client.user_info_url }}"                                     # URL of the userinfo endpoint to retrieve user profile data.
-  endpoint_end_session:     "{{ oidc.client.logout_url }}"                                        # URL of the end-session endpoint to log users out of the IDP.
+  client_id:                "{{ OIDC.CLIENT.ID }}"                                                # The client ID that identifies WordPress as the OIDC client.
+  client_secret:            "{{ OIDC.CLIENT.SECRET }}"                                            # The secret key used by WordPress to authenticate to the OIDC provider.
+  endpoint_login:           "{{ OIDC.CLIENT.AUTHORIZE_URL }}"                                     # URL of the authorization endpoint to initiate the login flow.
+  endpoint_token:           "{{ OIDC.CLIENT.TOKEN_URL }}"                                         # URL of the token endpoint for exchanging authorization codes for tokens.
+  endpoint_userinfo:        "{{ OIDC.CLIENT.USER_INFO_URL }}"                                     # URL of the userinfo endpoint to retrieve user profile data.
+  endpoint_end_session:     "{{ OIDC.CLIENT.LOGOUT_URL }}"                                        # URL of the end-session endpoint to log users out of the IDP.
  login_type:               "auto"                                                                # Determines how the login interface is rendered (e.g., button or form).
  scope:                    "openid profile email"                                                # Scopes requested from the OIDC provider during authentication.
  create_if_does_not_exist: true                                                                  # Auto-create a new WP user if one doesn’t exist.
@@ -16,14 +16,14 @@ oidc_settings:
  link_existing_users:      true                                                                  # Link OIDC login to existing WP users by matching email.
  redirect_on_logout:       true                                                                  # Redirect users after logout to the login screen or homepage.
  redirect_user_back:       true                                                                  # Return users to their original URL after successful login.
-  #acr_values:               "{{ oidc.client.acr_values | default('') }}"                         # ACR values defining required authentication context (e.g., MFA level).
+  #acr_values:               "{{ OIDC.CLIENT.acr_values | default('') }}"                         # ACR values defining required authentication context (e.g., MFA level).
  enable_logging:           "{{ MODE_DEBUG }}"                                                  # Enable detailed plugin logging for debugging and auditing.
-#  log_limit:                "{{ oidc.client.log_limit | default('') }}"                          # Maximum number of log entries to retain before pruning.
+#  log_limit:                "{{ OIDC.CLIENT.log_limit | default('') }}"                          # Maximum number of log entries to retain before pruning.
  no_sslverify:             false                                                                 # The flag to enable/disable SSL verification during authorization.
  http_request_timeout:     5                                                                     # The timeout for requests made to the IDP. Default value is 5.
-  identity_key:             "{{ oidc.attributes.username }}"                                      # The key in the user claim array to find the user's identification data.
-  nickname_key:             "{{ oidc.attributes.username }}"                                      # The key in the user claim array to find the user's nickname.
-  email_format:             "{{ oidc.attributes.email }}"                                         # The key(s) in the user claim array to formulate the user's email address.
-  displayname_format:       "{{ oidc.attributes.given_name }} {{ oidc.attributes.family_name }}"  # The key(s) in the user claim array to formulate the user's display name.
+  identity_key:             "{{ OIDC.ATTRIBUTES.USERNAME }}"                                      # The key in the user claim array to find the user's identification data.
+  nickname_key:             "{{ OIDC.ATTRIBUTES.USERNAME }}"                                      # The key in the user claim array to find the user's nickname.
+  email_format:             "{{ OIDC.ATTRIBUTES.EMAIL }}"                                         # The key(s) in the user claim array to formulate the user's email address.
+  displayname_format:       "{{ OIDC.ATTRIBUTES.GIVEN_NAME }} {{ OIDC.ATTRIBUTES.FAMILY_NAME }}"  # The key(s) in the user claim array to formulate the user's display name.
  identify_with_username:   true                                                                  # The flag which indicates how the user's identity will be determined.
  state_time_limit:         180                                                                   # The valid time limit of the state, in seconds. Defaults to 180 seconds.