auth0 wordpress plugin not redirecting users causing invalid state errors about wordpress HOT 4 CLOSED

Hi @aap-jmedema 👋 Thank you very much for the thoughtful breakdown you've provided here!

In terms of #4, my understanding from our previous discussions on that ticket were that the changes introduced in 4.5.0 addressed at least that aspect of it for you — is that correct, or did I misunderstand?

I think your custom plugin approach is great, and makes sense for your circumstances. I am admittedly hesitant to introduce redirection logic into the plugin that could have unintended side effects for other users, but this feels like a good custom approach scenario to me.

from wordpress.

Glad it was useful. Took me long enough :)

The custom cookie setting allowed us to stop getting an invalid state error, the biggest problem. However, fixing this revealed a smaller problem where redirect_to broken in this reproduction scenario. Currently, with 4.5.0, here are 4 scenarios for reference:

1. Throw "https://somedomain.com" into your url bar and go. Core WP with no plugins enabled redirects to https://www.somedomain.com and if you click on the website's login button then login occurs normally without needing a custom cookie.

2. Throw "https://somedomain.com/wp-login" into your url bar and go. Auth0 catches the authentication attempt before wp can do it's redirect, does the auth0 login stuff, and redirects back to https://www.somedomain.com's home page. This is the scenario that the custom cookie fixed.

3. Throw "https://somedomain.com/some-page-requiring-auth" into your url bar and go. Auth0 catches the authentication attempt before wp can do it's redirect, does the auth0 login stuff, and redirects back to https://www.somedomain.com's home page instead of the redirect_to because auth0 is using wp_safe_redirect. Prior to v4.5.0 and a custom cookie setting the authentication would fail with an invalid state error. So we're making progress but not all the way there. If you want to break this into a new issue for the separate problem I'm fine with that. Or I can change the issue header, etc. Whatever works for you.

4. Throw "https://somedomain.com/some-page-not-requiring-auth" into your url bar and go. When my workaround is not in place, and regardless of the status or version of auth0, this page will pull up as-is with no redirection. When my workaround is in place it will redirect the page to https://www.somedomain.com/some-page-not-requiring-auth, which is technically bad behavior but still works for me. I'm highlighting this scenario because I only discovered it this morning. I thought I had tested for it before opening the original ticket but I must have only tested scenario #1 in this comment and made a bad assumption. WP doesn't redirect to site_url in all scenarios, despite what I might have said in earlier posts/tickets.

That said, I don't think scenario #4 matters for our discussion. Because auth0 is taking it upon itself to redirect during the authentication process (scenario #3 in this post), it needs to handle the redirect_to data appropriately in some fashion.

I can appreciate your hesitance on changing the redirect logic. I'm not asking for an immediate fix, I have my workaround. Chew on the alternatives for a while and find the best solution that fits auth0's architecture. I don't think there are any side effects, and there are some indications that other auth0 devs didn't see any problems. The auth0 shortcode is trying to do this - it's using wp_redirect as opposed to wp_safe_redirect. Maybe that dev author will have some insight?

from wordpress.

Any update on this? This is a lower priority than my other ticket (#867).

from wordpress.

Hi @aap-jmedema 👋 Thanks for your patience. Please review my follow up to the other thread, as this issue is in the same basket. We would recommend forking the plugin to accomodate the necessary change, or migrating to v5.

from wordpress.