PHP and WordPress Single Sign On (SSO) with optional JWT Addon

DragonsWho

Hey everyone,

After a week of troubleshooting, I managed to get the maicol07/flarum-ext-sso extension working for JWT-based Single Sign-On between my main application and Flarum. I wanted to share the key fixes in case anyone else runs into similar issues:

Here are the main problems I encountered and how they were resolved:

Missing lcobucci/jwt Dependency in Production:
- Problem: The Flarum SSO extension's composer.json listed lcobucci/jwt under require-dev and suggest, but not as a main require dependency. This meant that when installing with --no-dev (typical for production environments), the JWT library wasn't actually installed, leading to a Class "Lcobucci\JWT\Configuration" not found error in Flarum.
- Fix: I had to explicitly add the library to my Flarum project's composer.json and install it by running:
```
        composer require lcobucci/jwt "^4.1" --prefer-dist -a -o
```
  This ensures the necessary JWT parsing and validation library is available.

Incorrect Signing Algorithm Resolution in JWTSSOController.php:

Problem: Even with the "Signing Method" set to Sha256 in the Flarum SSO extension's admin settings, the JWTSSOController.php code failed to correctly instantiate the Sha256 signer object. The switch statement (around line 95-105 in vendor/maicol07/flarum-ext-sso/src/JWTSSOController.php) responsible for selecting the signer based on the $this->signing_algorithm property (retrieved from settings) would result in the signer variable remaining null. This caused a TypeError: Lcobucci\JWT\Configuration::forSymmetricSigner(): Argument #1 ($signer) must be of type Lcobucci\JWT\Signer, null given.

Fix (Workaround): To resolve this, I temporarily hardcoded the signer instantiation in JWTSSOController.php before the Configuration::forSymmetricSigner() call:

        // Inside public function handle(Request $request): ResponseInterface
        // ...
        // $signing_algorithm = null; // Original initialization
        // switch ($this->signing_algorithm) { /* ... original switch ... */ }

        // WORKAROUND: Directly instantiate the required signer
        $signing_algorithm = new \Lcobucci\JWT\Signer\Hmac\Sha256(); 
        
        $config = \Lcobucci\JWT\Configuration::forSymmetricSigner(
            $signing_algorithm, // Now $signing_algorithm is an object
            // ... rest of the config
        );
        // ...
        ```        This bypasses whatever issue was preventing the correct reading or matching of the "Sha256" setting string.

3.  **Incorrect JWT Signing Key Loading with `lcobucci/jwt` v4+:**
    *   **Problem:** The extension was attempting to load the plain text "Signer key" (JWT secret) using `InMemory::base64Encoded(base64_encode($this->signer_key))`. For `lcobucci/jwt` v4+, if you have a plain text secret, this double encoding is incorrect and can lead to signature validation failures. The `base64Encoded()` method expects a key that is *already* Base64 encoded (e.g., a binary key that was Base64 encoded for storage).
    *   **Fix:** I modified the `Configuration::forSymmetricSigner()` call in `JWTSSOController.php` (around line 109-111) to use `InMemory::plainText()` for the signer key:
        ```php
        // ...
        $config = \Lcobucci\JWT\Configuration::forSymmetricSigner(
            $signing_algorithm, // This is new \Lcobucci\JWT\Signer\Hmac\Sha256(); from fix #2
            // InMemory::base64Encoded(base64_encode($this->signer_key)) // Original
            \Lcobucci\JWT\Signer\Key\InMemory::plainText($this->signer_key) // Corrected version
        );
        // ...

This ensures the plain text secret is handled correctly by the JWT library.

Hopefully, these details help anyone else trying to set up JWT SSO with this extension!

« Previous Page