Restore local plugin translations. Props julienlusson for discovering the problem!
Fix OIDC logins on Okta (add “Force auth method” option to Authorizer settings and set to client_secret_post). Props @rmarks for the troubleshooting!
Show “Logout redirect URI” in OIDC configuration (in case the provider needs that set).
Fix various small issues reported by Plugin Check.
3.14.2
Force asset reload (for WordPress 7.0 style fixes).
3.14.1
Fix login button text alignment in WordPress 7.
Admin style fixes for WordPress 7 (settings page and dashboard widget).
Tested up to WordPress 7.
3.14.0
Fix error on Google and OAuth2 logins from an unsupported domain (when configured to only allow specific domain(s) to log in). Props dbnschools for the bug report!
Drop support for PHP 7.2, 7.4, and 8.0. PHP 8.1 or higher is now required (due to dependency requirements).
Avoid using emails as usernames as a fallback when creating a user with a username that already exists. Prefer appending a digit (2-9) after the username, and fall back to a UUID (v4) if username[2-9] all already exist.
Allow LDAP logins using email address (as an alternative to username) if the “LDAP attribute containing email address” config option is set.
3.13.4
Performance: only autoload plugin options used on every page. The change will take effect the next time the specific option is updated (e.g., the list of Approved Users). Props @raalknz for the suggestion!
Restore original redirectUri (omit id=1 param) for already-configured OAuth2 servers. This fixes existing clients breaking because the redirectUri no longer matches after updating to Authorizer 3.12.1. Props mdebski for the report!
3.12.0
Released Tue Nov 18, 2025.
Add setting to send pending user notification emails to individual users (instead of using the setting to send to all users in a role). Props lc-sam for the suggestion!
Add ability to define multiple configured OAuth2 endpoints (details).
Add ability to define the messages pending and blocked users see after logging in, and the message anonymous users see when visiting public pages on a private site, via filters (authorizer_login_message_pending_users, authorizer_login_message_blocked_users, and authorizer_message_anonymous_users) or wp-config.php constants (define( ‘AUTHORIZER_LOGIN_MESSAGE_PENDING_USERS’, ‘…’ );, define( ‘AUTHORIZER_LOGIN_MESSAGE_BLOCKED_USERS’, ‘…’ );, and define( ‘AUTHORIZER_MESSAGE_ANONYMOUS_USERS’, ‘…’ );) to, e.g., allow a single custom message to be used on all sites in a multisite network. Props @monkeyleo13 for the suggestion!
Add Simple History logging on CAS authentication errors.
Add logging (Simple History, and error_log) on OAuth2 authentication errors.
Move OAuth2/Google/CAS/LDAP settings into separate tabs.
Fix redirect_to param discarded by some OAuth2 (generic) servers.
Fix typo in bypass usernames.
Tested up to WordPress 6.8.
3.11.0
Fix for loading translations too early in WordPress 6.7.
Add $user param to authorizer_automatically_approve_login hook; can be used to inspect the roles of the logging in user if they already have a WordPress user account.
Disable Cloudflare Turnstile verification after a successful authentication provided by the simple-cloudflare-turnstile plugin. We assume we don’t need bot protection from this plugin after coming back from a successful external service authentication.
Allow defining approved user welcome email subject and body via filters (authorizer_email_approved_users_subject and authorizer_email_approved_user_body) or wp-config.php constants (define( ‘AUTHORIZER_EMAIL_APPROVED_USERS_SUBJECT’, ‘…’ ); and define( ‘AUTHORIZER_EMAIL_APPROVED_USER_BODY’, ‘…’ );) to, e.g., allow a single custom message to be used on all sites in a multisite network. Props @monkeyleo13 for the suggestion!
Allow defining custom branding option via filter (authorizer_advanced_branding) or constant (define( ‘AUTHORIZER_ADVANCED_BRANDING’, ‘…’ );). Props oldfieldtc for the request!
Allow specifying multiple roles to add and remove in the authorizer_custom_role filter by returning an array with keys ‘default_role’, ‘roles_to_add’, and ‘roles_to_remove’. Props nick-perry14 for the pull request! (Note: you can also define additional roles in the authorizer_custom_roles_to_add and authorizer_roles_to_remove filters.)
Allow specifying a list of “bypass users” who can log in with their WordPress credentials even if Disable WordPress Logins has been checked. Useful if most accounts are authenticated with an external service, but certain accounts, like temporary vendors or new hires, are not able to authenticate with an external service. Props lc-sam for the request!
Update helper text for OAuth Resource Owner URL. Props howardshand for the suggestion!
Hotfix for CAS logins broken if new settings not saved.
3.10.0
Allow multiple configured CAS endpoints (details).
Allow fetching username and email from custom attributes in OAuth2 (generic) external service.
Add OAuth2 (generic) options for syncing first and last names from external service.
Force Google Logins to use FedCM to support upcoming removal of third-party cookies in chromium browsers. Props faeldray for the report!
Revert WPML fix from 2017 for displaying categories in the Private Pages list in the Public Access tab of Authorizer settings. Props tlebars for the report!
Update French translations. Props @julienlusson!
Add $user param to authorizer_custom_role hook; can be used to inspect the roles of the logging in user if they already have a WordPress user account.
Fix for global $wp_roles unavailable in some multisite contexts leading to a fatal error.
Update French translations. Props @julienlusson!
3.9.0
Tested up to WordPress 6.6.
Fix ldap_connect() deprecation notice in PHP 8.3. Props @svyatoslavnetrunner for the code!
Trim whitespace from Google Client ID and Secret. Props @JSLittlefield for the suggestion!
Allow defining Google Client ID and OAuth2 Client ID via filters (authorizer_google_client_id and authorizer_oauth2_client_id) or wp-config.php constants (define( ‘AUTHORIZER_GOOGLE_CLIENT_ID’, ‘…’ ); and define( ‘AUTHORIZER_OAUTH2_CLIENT_ID’, ‘…’ );) to support integrations with third-party secrets managers (or simply to keep the secrets out of the database in plaintext). Client Secrets were already added in version 3.6.1, this update adds filters and constants for the Client IDs. Props @nks04747 for the suggestion!
Fix Google/LDAP/Oauth2 secrets fields not hiding in Authorizer Settings if overridden by a filter or constant, and the external service is disabled.
Fix warning about duplicate DOM IDs in Authorizer Settings.
Fix database migrations re-running in complex multisite multi-network setups. Props @mpemburn for the research (and endurance) to discover the root cause!
3.8.4
Update French translations. Props @julienlusson!
Fix TinyMCE settings fields sometimes uneditable. Props dorianborovina for the detailed bug report!
Block the WordPress lost password endpoint if Authorizer is configured to disable WordPress logins. Props @manakuke for the discovery!
Allow immediately showing OAuth2 login form if it’s the only external service enabled and WordPress logins are hidden (e.g., skip showing the “Log In with OAuth2” button on wp-login.php). Props @dblas for the suggestion!
Generate performant translations from .mo files. See: https://make.wordpress.org/core/2024/02/27/i18n-improvements-6-5-performant-translations/
Fix role change in authorizer_custom_role filter not synced to approved list. Props mdebski for the issue and research!
Fix duplicate delete option during uninstall routine.
Fix unneeded role dropdown for blocked users (since blocked users get their roles removed, this was causing php warnings on checking strlen() on the null role value).
Tested up to WordPress 6.5.3.
3.7.1
Replace jquery.multi-select composer dependency with local copy (since the composer package was removed). Props @julienlusson the catch!
3.7.0
Drop support for PHP 7.2 and 7.3. Minimum PHP version is now 7.4 (due to google-api-php-client requirements).
Simple History now logs a different message if the global lockout is triggered on a nonexistent user. Props @TuringTux for the pull request!
Update French translations. Props @julienlusson!
Fix incrementing the wrong failed login counter if failed login used an email address instead of a username. Now the specific user counter is incremented instead of the global/nonexistent user counter. Props @TuringTux for the report and investigation!
Fix for PHP warning when viewing admin pages in Pressbooks.
Fix for PHP warning about missing ldap_test_user setting on some multisite installs.
Remove old jQuery library from multi-select package (has XSS vulnerabilities).
Fix: Remove private pages from search results and archives if visitor is an anonymous user and site is configured to only allow logged in users to see the site. Props @ramrajone for the bug report!
Fix: Allow minor clock drift (30s) between the WordPress server and Google’s server when processing Google logins.
Tested up to WordPress 6.2.
3.6.2
Performance tweaks during Authorizer updates on large multisites.
Ensure lockout values are integers for invalid login attempts (php8 compatibility).
Check for existence of super admin roles before adding super admin to approved list on multisite activation.
Update French translations. Props @julienlusson!
Allow defining LDAP Directory User and Password via filters (authorizer_ldap_user and authorizer_ldap_password) or wp-config.php constants (define( ‘AUTHORIZER_LDAP_USER’, ‘…’ ); and define( ‘AUTHORIZER_LDAP_PASSWORD’, ‘…’ );) to support integrations with third-party secrets managers (or simply to keep the secrets out of the WordPress database).
Allow authorizer_custom_role filter on admin logins.
3.6.1
Allow defining Google Client Secret and OAuth2 Client Secret via filters (authorizer_google_client_secret and authorizer_oauth2_client_secret) or wp-config.php constants (define( ‘AUTHORIZER_GOOGLE_CLIENT_SECRET’, ‘…’ ); and define( ‘AUTHORIZER_OAUTH2_CLIENT_SECRET’, ‘…’ );) to support integrations with third-party secrets managers (or simply to keep the secrets out of the database in plaintext).
Handle arrays in CAS attribute for first/last name.
Fix: conflict with W3 Total Cache (when using Azure CDN provider that uses an older guzzlehttp library). Check status
Fix: only clean up Google session on logout if it exists.
Fix: Remove all plugin options in database upon deletion/uninstall.
Fix: Handle Google login error triggered when a stale browser window sends a login request.
Add LDAP connection test feature (under LDAP settings).
Update translatable strings.
Update French translations. Props @julienlusson!
Add settings icon to dashboard widget header.
Better styling in dashboard widget.
Remove “Local WordPress user” icon from Approved User list (uninformative).
Small coding standards fixes.
3.2.2
Fix PHP warning when anonymous users browse a restricted site.
Only load authorizer-public.js when necessary (when site is configured so only logged in users can view the site, current user does not have access, and anonymous users should be shown a message). Props @flim0 for the catch!
3.2.1
Fix generic OAuth2 connector unable to create username from email. Props @abnerjacobsen for the bug report!
Redirect to home page after logging in if using custom login url via the WPS Hide Login plugin. Props @wixaw for the report.
3.2.0
Tested up to WordPress 5.8.
Authorizer now requires PHP 7.2.5 or higher to support its dependencies. See: this and this if you are running an outdated version of PHP.
Fix for PHP versions below 7.3 (array_key_last() is not available for older PHP versions and was added in the last update). Props @ianchan-1 for reporting the issue!
Add LDAP Search Filter to plugin settings. Props @hbjusa for the pull request!
Add [authorizer_login_form] shortcode. Props @shredderwoods and @hilfans for the suggestions!
3.1.2
Fix PHP warnings about uninitialized oauth2_hosteddomain option.
3.1.1
Update French translations. Props @julienlusson!
Note: the next minor version of Authorizer, 3.2, will drop support for PHP 5.6 in order to stay current with phpCAS releases, which now require a minimum of PHP 7.0.
3.1.0
Note: the next minor version of Authorizer, 3.2, will drop support for PHP 5.6 in order to stay current with phpCAS releases, which now require a minimum of PHP 7.0.
Update phpCAS dependency from 1.3.8 to 1.3.9.
Allow restricting OAuth2 logins to a specific domain (of the email address of users authenticating).
Update oauth2-azure dependency from 2.0.0 to 2.0.1.
Update Google APIs Client Library for PHP dependency from 2.8.3 to 2.9.2.
Update Google PHP API Client Services dependency from 0.156 to 0.201.0.
Fix php errors causing authorizer.js and some vendor assets not to load on network admin. Props @julienlusson for finding this bug!
3.0.2
Add tenant-specific configuration option to Microsoft Azure oauth2 provider.
3.0.1
Add Microsoft Azure oauth2 provider.
Updated French translations. Props @julienlusson for the pull request!
3.0.0
Authenticate with more providers via OAuth2. Let us know if you have any troubles integrating your OAuth2 provider.
Add filter authorizer_oauth2_generic_authorization_parameters for targeting the specifics of generic oauth2 providers. Provide an array with options, such as array( ‘scope’ => ‘user:email’ ), to customize your generic oauth2 provider.
Add filter authorizer_oauth2_generic_authenticated_email for manually inspecting the results returned from the oauth2 provider to find the resource owner’s email to give to WordPress for the authenticated user. Use this for oauth2 providers that release email addresses in nonstandard places.
Fix first/last names not getting updated for admins on a CAS or LDAP login.
Fix PHP warning if invalid login attempt settings are empty (also prevent the “Authorizer lockout triggered for 0 seconds on user after the 0th invalid attempt” simple history log message).
Fix update usermeta button disappearing in Approved Users list after clicking it.
Fix serialization of usermeta in Approved Users list for unregistered users.
Remove bootstrap dependency (replace glyphicons with WordPress dashicons).
