=== PhoenixForge SSO ===
Contributors: ryanpurvisphoenixforge
Tags: sso, single sign-on, jwt, authentication, phoenixos
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 2.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Single sign-on bridge between PhoenixOS and WordPress. Validates JWT tokens and creates WordPress sessions automatically.

== Description ==

PhoenixForge SSO connects your WordPress site to PhoenixOS, enabling seamless single sign-on for your users. When a user authenticates on PhoenixOS and navigates to your WordPress site, the plugin validates their JWT token and logs them in automatically — no separate WordPress password required.

**How it works:**

1. User authenticates on PhoenixOS
2. PhoenixOS issues a signed JWT token
3. User is redirected to your WordPress site with `?sso_token=...`
4. PhoenixForge SSO validates the JWT signature and expiry
5. WordPress session is created (user account provisioned if needed)
6. User lands on the page, fully logged in

= Free Features =

* HS256 JWT token validation with configurable secret
* Automatic WordPress user provisioning from PhoenixOS tokens
* PhoenixOS role-to-WordPress role mapping (admin/owner → editor, others → subscriber)
* Secure token handling with expiry and issuer checks
* Activity logging of all SSO events

= Pro Features =

* SSO session tracking and last login timestamps
* Organization data sync from PhoenixOS to WordPress user meta
* Detailed SSO analytics in the admin dashboard

== Installation ==

1. Upload the `phoenixforge-sso` folder to `/wp-content/plugins/`
2. Activate the plugin through the Plugins menu
3. Add the following to your `wp-config.php`:

`define('PHOENIXFORGE_SSO_SECRET', 'your-shared-secret-here');`
`define('PHOENIXFORGE_SSO_ISSUER', 'https://os.phoenixforge.io');`

4. The shared secret must match the one configured in your PhoenixOS instance

== Frequently Asked Questions ==

= What happens if the JWT is expired? =

The user is redirected to the WordPress login page with an error indicator. They can log in manually or request a new token from PhoenixOS.

= What WordPress role do SSO users get? =

PhoenixOS admin/owner/super_admin roles map to WordPress "editor". All other roles map to "subscriber". This can be customised via the `pfsso_map_role` filter.

= Does this work with multisite? =

The plugin works on individual sites within a multisite network. Network-wide activation is not currently supported.

== Screenshots ==

1. SSO settings page with JWT secret configuration and issuer URL
2. PhoenixOS role-to-WordPress role mapping configuration panel
3. SSO activity log showing authentication events with timestamps and user details
4. User provisioning status showing accounts created via SSO tokens

== Third-Party Services ==

This plugin connects to external services under certain conditions:

= PhoenixForge License Server =
When you activate a Pro license key, the plugin validates it with the PhoenixForge license server.
* Service URL: https://phoenixforge-licenses.phoenixforge.workers.dev
* Privacy Policy: https://phoenixforge.io/privacy
* Terms of Service: https://phoenixforge.io/terms
* Data sent: License key, site URL
* When: On license activation, deactivation, and daily revalidation

= PhoenixForge Update Server =
The plugin checks for new versions from the PhoenixForge update server. This is disabled in WordPress.org distributed builds.
* Service URL: https://phoenixforge-updates.phoenixforge.workers.dev
* Privacy Policy: https://phoenixforge.io/privacy
* Terms of Service: https://phoenixforge.io/terms
* Data sent: Plugin slug and current version
* When: During WordPress update checks (approximately every 12 hours)

= Outbound Webhooks (Pro Feature) =
Pro users can optionally configure webhook URLs to send event data to services like Zapier, Make, or n8n.
* Only active when explicitly configured by the site administrator
* Data sent: Event type, site URL, and event-specific data
* Destination URL is entirely user-controlled

== Changelog ==

= 2.0.0 =
* Full shared-lib integration (license, updater, admin, settings)
* Moved SSO handler to dedicated class
* Added activity logging for SSO events
* Added uninstall cleanup

= 1.0.0 =
* Initial release with JWT validation and user provisioning
