WordPress is set up here as SSO provider through the WP-Discourse plugin and in certain edge cases, we have to log out users to ensure consistency between their group assignment etc.
When a user can’t get hold of what we’re talking about, we take the route of logging out their session through wordpress admin. This does not log them out of discourse however.
Is there a way we can plug a discourse logout signal in WordPress through a function or something that could make this happen?
Do you know if there’s a WordPress action that is called when you log the user out through the WordPress admin? The WP Discourse plugin hooks into the clear_auth_cookie action to sync user initiated logouts between WordPress and Discourse. Maybe there’s another action that could be used for this that would also work when the user is logged out by a site admin.
I’ll do a bit of digging in this and get back to you.
I’d suspect it’s using the wp_ajax_destroy_sessions function and doing some session token wizardry in $sessions->destroy_all(); How to hook clear_auth_cookie in this function?
I think that is the function that’s being used.
I had a quick look through the WordPress code and am not seeing an obvious way of getting this to work. If this is not an action that you are performing very often, Discourse admins can log users out of Discourse by clicking the “Logout” button that’s displayed near the top of the user’s admin page. To force users to log back in via SSO, you could manually log the user out of Discourse, and then log them out of WordPress.
I’ll give that a shot, I may bump this topic again in a couple months if this strategy goes south.