Comments (4)
Hi @aap-jmedema 👋 Thank you very much for the thoughtful breakdown you've provided here!
In terms of #4, my understanding from our previous discussions on that ticket were that the changes introduced in 4.5.0 addressed at least that aspect of it for you — is that correct, or did I misunderstand?
I think your custom plugin approach is great, and makes sense for your circumstances. I am admittedly hesitant to introduce redirection logic into the plugin that could have unintended side effects for other users, but this feels like a good custom approach scenario to me.
from wordpress.
Glad it was useful. Took me long enough :)
The custom cookie setting allowed us to stop getting an invalid state error, the biggest problem. However, fixing this revealed a smaller problem where redirect_to broken in this reproduction scenario. Currently, with 4.5.0, here are 4 scenarios for reference:
-
Throw "https://somedomain.com" into your url bar and go. Core WP with no plugins enabled redirects to https://www.somedomain.com and if you click on the website's login button then login occurs normally without needing a custom cookie.
-
Throw "https://somedomain.com/wp-login" into your url bar and go. Auth0 catches the authentication attempt before wp can do it's redirect, does the auth0 login stuff, and redirects back to https://www.somedomain.com's home page. This is the scenario that the custom cookie fixed.
-
Throw "https://somedomain.com/some-page-requiring-auth" into your url bar and go. Auth0 catches the authentication attempt before wp can do it's redirect, does the auth0 login stuff, and redirects back to https://www.somedomain.com's home page instead of the redirect_to because auth0 is using wp_safe_redirect. Prior to v4.5.0 and a custom cookie setting the authentication would fail with an invalid state error. So we're making progress but not all the way there. If you want to break this into a new issue for the separate problem I'm fine with that. Or I can change the issue header, etc. Whatever works for you.
-
Throw "https://somedomain.com/some-page-not-requiring-auth" into your url bar and go. When my workaround is not in place, and regardless of the status or version of auth0, this page will pull up as-is with no redirection. When my workaround is in place it will redirect the page to https://www.somedomain.com/some-page-not-requiring-auth, which is technically bad behavior but still works for me. I'm highlighting this scenario because I only discovered it this morning. I thought I had tested for it before opening the original ticket but I must have only tested scenario #1 in this comment and made a bad assumption. WP doesn't redirect to site_url in all scenarios, despite what I might have said in earlier posts/tickets.
That said, I don't think scenario #4 matters for our discussion. Because auth0 is taking it upon itself to redirect during the authentication process (scenario #3 in this post), it needs to handle the redirect_to data appropriately in some fashion.
I can appreciate your hesitance on changing the redirect logic. I'm not asking for an immediate fix, I have my workaround. Chew on the alternatives for a while and find the best solution that fits auth0's architecture. I don't think there are any side effects, and there are some indications that other auth0 devs didn't see any problems. The auth0 shortcode is trying to do this - it's using wp_redirect as opposed to wp_safe_redirect. Maybe that dev author will have some insight?
from wordpress.
Any update on this? This is a lower priority than my other ticket (#867).
from wordpress.
Hi @aap-jmedema 👋 Thanks for your patience. Please review my follow up to the other thread, as this issue is in the same basket. We would recommend forking the plugin to accomodate the necessary change, or migrating to v5.
from wordpress.
Related Issues (20)
- v5.0.0 - SDK Auth configuration missing on activation (I think) HOT 7
- Priority of the wp_auth0_process_auth_callback HOT 1
- Auth0 PHP 8 support? HOT 1
- WordPress WooCommerce checkout Auth0 user creation results in error HOT 5
- Make plugin available for self-hosted, non-composer instances HOT 1
- Unable to build the latest version of the Auth0 Wordpress plugin - please provide details on how to do this. HOT 2
- auth0/auth0-php[8.0.0, ..., 8.4.0] require psr/http-client-implementation ^1.0 -> HOT 1
- auth0 wordpress plugin not honoring the "required verified email" setting in all circumstances when it is disabled HOT 3
- simple plugin for WordPress HOT 4
- some feature for wordpress plugin HOT 1
- redirect_to param in auth0 shortcode not working HOT 4
- auth0_nonce and auth0_state cookies are set without the secure flag HOT 1
- Save Button Missing and WordPress Technical Issue Notice HOT 5
- Missing User Agent HOT 6
- not compaitable on woocommerce HOT 2
- PSR CacheItemItemface is incompatible with WpObjectCacheItem Error HOT 3
- The nonce validation stoped to work HOT 5
- Unable to sign up HOT 5
- Too many redirects when trying to log in HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wordpress.