Connection: sso broker redirect

[bindlegirl]

When CIAB stores use Jetpack SSO, the redirect currently always goes to wordpress.com, which authenticates using the browser's WP.com session cookie. This can cause account mismatches when the MSD (my.woo.ai) uses OAuth — a merchant can be logged into the MSD as Account A but have a stale WP.com cookie for Account B.

This PR adds support for an external SSO broker URL. When WP.com returns a broker_url in the jetpack.sso.requestNonce XML-RPC response (for CIAB sites), the SSO redirect goes to that broker instead of wordpress.com. The broker (MSD) then authorizes via its OAuth session and redirects back. The existing handle_login / validateResult flow is unchanged.

Related CONNECT-191

Proposed changes:

• request_initial_nonce() handles both string and array responses from WP.com
• Broker URL cached in a server-side transient (not a cookie) to prevent browser-side tampering
• build_sso_url() and build_reauth_and_sso_url() use the broker URL when available
• Broker host dynamically added to allowed_redirect_hosts with HTTPS validation
• Transient cleaned up on login and disconnect
• Non-CIAB sites are completely unaffected (WP.com returns a plain string, existing behavior)

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

• Go to '..'

Changelog

• Generate changelog entries for this PR (using AI).

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the add/sso-broker-redirect branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack add/sso-broker-redirect

bin/jetpack-downloader test jetpack-mu-wpcom-plugin add/sso-broker-redirect

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

Coverage changed in 2 files.

File	Coverage	Δ%	Δ Uncovered
projects/packages/connection/src/sso/class-sso.php	14/601 (2.33%)	2.33%	4 💔
projects/packages/connection/src/sso/class-helpers.php	64/103 (62.14%)	2.95%	-1 💚

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[Copilot]

Pull request overview

Adds support in the Jetpack Connection SSO flow to redirect through an external SSO broker (e.g., MSD for CIAB stores) when WP.com returns a broker_url in the jetpack.sso.requestNonce XML-RPC response, while keeping the existing validate/login flow unchanged.

Changes:

• Extend request_initial_nonce() to handle both string and { nonce, broker_url } responses and cache broker_url server-side in a transient.
• Route build_sso_url() / build_reauth_and_sso_url() through the broker when available via a new get_sso_base_url() helper.
• Allow broker host in allowed_redirect_hosts, and add PHPUnit coverage for broker URL behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
projects/packages/connection/src/sso/class-sso.php	Parses broker URL from XML-RPC response, caches it in a transient, and uses it as the SSO base URL when present; clears transient on login/disconnect.
projects/packages/connection/src/sso/class-helpers.php	Adds the broker host to allowed_redirect_hosts so wp_safe_redirect() can target the broker domain.
projects/packages/connection/tests/php/sso/SSO_Broker_Test.php	New tests for broker transient validation, base URL selection, allowed redirect hosts behavior, and transient cleanup.
projects/packages/connection/changelog/add-sso-broker-redirect	Changelogger entry documenting the added broker redirect capability.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

request_initial_nonce() assumes that any array response from jetpack.sso.requestNonce will include a nonce. If WP.com ever returns an array without nonce, the code falls through to sanitize_key( $response ) (array input) or leaves $nonce unset, which can cause PHP errors and set an invalid cookie. Handle the is_array( $response ) case explicitly: if nonce is missing/empty, return a WP_Error (and avoid calling sanitize_key on a non-string).

[Copilot]

When jetpack.sso.requestNonce returns a plain string (non-CIAB), the broker transient is never cleared. That means an old broker_url can remain in jetpack_sso_broker_url and continue to redirect users through the broker even when WP.com no longer returns one. Consider explicitly delete_transient( self::BROKER_URL_TRANSIENT ) when the response is not the { nonce, broker_url } shape, and also when broker_url is present but fails HTTPS/URL validation.

Suggested change

	set_transient( self::BROKER_URL_TRANSIENT, $broker_url, 10 * MINUTE_IN_SECONDS );
	}
	}
	} else {
	$nonce = sanitize_key( $response );
	set_transient( self::BROKER_URL_TRANSIENT, $broker_url, 10 * MINUTE_IN_SECONDS );
	} else {
	delete_transient( self::BROKER_URL_TRANSIENT );
	}
	} else {
	delete_transient( self::BROKER_URL_TRANSIENT );
	}
	} else {
	$nonce = sanitize_key( $response );
	delete_transient( self::BROKER_URL_TRANSIENT );

[Copilot]

get_broker_url() assumes the transient value is a parseable URL string and only validates the scheme. If the transient is corrupted/non-string, wp_parse_url() can throw a type error under PHP 8+, and if the URL is missing a host (e.g. https:///path) it would still be accepted and later used as the SSO base URL. Consider adding is_string( $broker_url ) and requiring a non-empty host in the validation before returning it (otherwise delete the transient and return false).