All Login Attempts Suddenly Fail With Error: Signature verification failed

[lots0logs]

This just started happening out of nowhere really. It was working fine until today. I haven't made any changes or installed any updates since last week. All login attempts redirect to a page with this error:

There was a problem with your log in Error: There was an issue decoding the token, please review the Auth0 Plugin Error Log.

The logs in my Auth0 Dashboard show that the login was successful. There are no log messages from Auth0 plugin in my PHP logs or WP debug log. Please let me know what information you need that would help identify the problem. Thanks!

Edit:

Got this out of my wp database:

[
  {
    "section":"redirect_login\/decode",
    "code":"N\/A",
    "message":"Signature verification failed, disabling \"Settings \\ Basic \\ Client Secret Base64 Encoded\" may resolve this issue.",
    "date":1497967999
  },

cc: @glena @cocojoe

[cocojoe]

@lots0logs

1. So to confirm this error is not displayed in the Auth0 Plugin Log screen?
2. Also to confirm you upgraded to the latest version last week but this is the first time this error has appeared?
3. Have you changed any of your Auth0 client settings?

Thx

[lots0logs]

@cocojoe

1. I can't access the dashboard because I have my wp-login.php page redirecting to a custom login page that has Auth0 Widget on it 🤦‍♂️
2. I dont remember exactly when it was I last updated. I can see that the current version of the plugin that is installed is 3.2.21. That's from my automated weekly backup that ran about 10 hours ago. I assume that the issue didn't immediately present itself because my login session was valid (I logged in fine day before yesterday so my session must have expired since then).
3. No. Haven't touched anything on Auth0 Dashboard nor on the Auth0 wp plugin settings.

Thanks!

[cocojoe]

@lots0logs can you try adding ?wp to the admin login url and it should hopefully fallback to wp login.

[lots0logs]

@cocojoe Nah that doesnt help because like I said, I have my site configured to redirect the default login page to a custom one where I am using the Auth0 Lock. I see the most recent release of the plugin included changes that appear to be related to the error I'm getting now when trying to log into my site. Do you know what the problem is?

[cocojoe]

There was an issue that in the Auth0 dashboard, new clients do not have a base64 encoded secret, so the default options was changed to set this flag to false. The error was there to help anyone who may have an issue that their flag is enabled when it should be disabled.

The only real change is:
https://github.com/auth0/wp-auth0/pull/313/files#diff-894052ccee58b2c7d7f46aca8335a672L61

[lots0logs]

My site has been using the plugin almost since its 1.0 version. Does that mean my secret is base64 encoded? That could explain the problem I'm having, right?

[cocojoe]

Well this setting should be stored in the database, so the change in defaults shouldn't matter for existing clients. Can you check the wp-auth0 client settings in the Auth0 Dashboard, in particular under Client Secret it tells you if it's encoded or not. Thx

[cocojoe]

I know you have the redirect but also try
https://auth0.com/docs/cms/wordpress/troubleshoot#my-configuration-is-wrong-and-i-can-t-authenticate-using-auth0-is-there-another-way-to-access-the-plugin-

[lots0logs]

I had actually tried that before opening this issue. I'm going to try downgrading the plugin and see if the issue remains afterwards.

[lots0logs]

@cocojoe I downgraded the plugin manually to the previous version and I can log in again. Is there thing I can provide that would help to identify and fix the bug?

[cocojoe]

That would be great thanks, first step, what is the version of the plugin you are using now?
In the Plugin basic settings, is the base 64 encoded option enabled or disbled?

[cocojoe]

@lots0logs it would be helpful if you could tell me the version of the plugin you are currently on that works fine. Thx

[lots0logs]

@cocojoe

• Plugin Version: 3.2.20
• In Auth0 Dashboard I see: The Client Secret is base64 encoded.
• In WP Auth0 Plugin Settings this option is enabled: Client Secret Base64 Encoded

Let me know if that helps track down the issue. Cheers!

[cocojoe]

@lots0logs I believe I've got to the bottom of this and patched this for next release #324

It would be great if you could have a look at the settings info stored in the database, in wp_options / wp_auth0_configuration (something like that).
Don't paste it here, but I'm wondering if it contains the key client_secret_b64_encoded and if it does the value.

Thanks for your help.

[lots0logs]

@cocojoe I think I may have found the problem while digging in the database. I have a multisite with two sites. That means I actually have three wp-auth0 configs total (though I dont think the network-level one ever gets used..its leftover from when I first installed the plugin a couple years ago). Anyway, the serialized data of my main site's wp-auth0 config was somehow corrupt. Not sure how it happened but I use the exact same config for both sites so I just copied the other site's config over to the site where the data was corrupt (I saved the corrupted data) Do you have an email I can send the data to privately?

I am about to perform a back up and try updating the plugin again unless you think I should hold off on that?

[cocojoe]

@lots0logs sure redacted
don't upgrade just yet, lets check that config first.

[lots0logs]

Done 😃

[cocojoe]

Thanks I had a look at your configs, so I think you will be fine to upgrade to the upcoming release of 3.2.22 which we'll be releasing today.

[cocojoe]

@lots0logs Did you have a chance to update?

[lots0logs]

No, not yet. TBH, I didn't realize the update was released already 😅 I will try and get to it today and let you know how it goes!

Edit: haha I see your comment said it was being released..I totally missed that the first time I read it 🤦‍♂️

[cocojoe]

No rush, never update on a Friday 😄

[lots0logs]

I can confirm the update went smoothly and the issue no longer occurs 🎊 Thanks!!