WordPress / WooCommerce

Legion SSO Plugin

Drop-in WordPress plugin that signs your logged-in users into Legion widgets without ever exposing your client secret to the browser.

Download v2.0.0 SSO Architecture

Releases

Available Versions

Direct CDN downloads. The latest link always points to the newest release; pin to a versioned URL if you need reproducible deploys.

Version	Released	SHA-256	Download
`v2.0.0`	2026-04-26	`—`	legion-sso-v2.0.0.zip

Latest rolling URL: https://legion-sso-plugin.sfo3.cdn.digitaloceanspaces.com/legion-sso-latest.zip. Manifest with version + SHA-256 metadata: https://legion-sso-plugin.sfo3.cdn.digitaloceanspaces.com/manifest.json.

Installation

Install in 4 steps

Download legion-sso-v2.0.0.zip directly, or via the WordPress admin uploader.

JS Bridge

window.legionAuth

When the plugin enqueues its bridge script on a page, it exposes a small global API for custom integrations.

Method	Returns	Description
`getToken()`	`Promise<string \| null>`	Returns the current JWT, fetching one if needed. Concurrent callers share a single in-flight request.
`refresh()`	`Promise<string \| null>`	Force-refreshes the token, bypassing the cache. Useful after WooCommerce identity changes (e.g. account update).
`onExpired(cb)`	`() => void`	Subscribe to expiry events. Returns an unsubscribe function. Bridge calls `cb()` shortly before the JWT expires so callers can refresh proactively.

// Manually pull a token for a custom fetch call.
const token = await window.legionAuth.getToken();
fetch("/wp-json/my/endpoint", {
  headers: { Authorization: `Bearer ${token}` },
});

// React to forced expiry.
const off = window.legionAuth.onExpired(() => {
  console.log("token expired, refreshing");
  window.legionAuth.refresh();
});

Web Components

Auto-token injection

The bridge scans the DOM for <legion-*> custom elements and writes the active JWT into their auth-token attribute. New nodes added later (for example after a WooCommerce fragment refresh) are picked up via a MutationObserver.

Anonymous users

When no WP user is logged in, the bridge does nothing and auth-token stays empty. Widgets fall back to their public/anonymous mode in that case.

Upgrades

Updating the plugin

Download the new versioned zip from the table above, then in WP admin go to Plugins, deactivate Legion SSO, delete it, and upload the new zip. Settings (client id, secret, base URL) are preserved across re-install.

After upgrading, click Run Test in Settings → Legion SSO to confirm the new build is healthy.

Troubleshooting

Common issues

Run Test returns 401 invalid_credentials

Re-paste the client secret. Secrets are revealed once at create/rotate time and the admin only stores a hash. If you no longer have the value, rotate the secret in the Legion admin and update the plugin.

Run Test returns 403 origin_not_allowed

Add the WordPress site origin (scheme + host) to the SSO client's allowed_origins list in the Legion admin.

Widget shows but never receives a token

Confirm the page is enqueueing legion-sso-bridge.js (check Network tab) and that the user is logged in. The bridge no-ops for anonymous traffic by design.

Still stuck? Email [email protected] with the WP version, plugin version, and the response body from Run Test.