-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth0 wordpress plugin not redirecting users causing invalid state errors #871
Comments
Hi @aap-jmedema 👋 Thank you very much for the thoughtful breakdown you've provided here! In terms of #4, my understanding from our previous discussions on that ticket were that the changes introduced in 4.5.0 addressed at least that aspect of it for you — is that correct, or did I misunderstand? I think your custom plugin approach is great, and makes sense for your circumstances. I am admittedly hesitant to introduce redirection logic into the plugin that could have unintended side effects for other users, but this feels like a good custom approach scenario to me. |
Glad it was useful. Took me long enough :) The custom cookie setting allowed us to stop getting an invalid state error, the biggest problem. However, fixing this revealed a smaller problem where redirect_to broken in this reproduction scenario. Currently, with 4.5.0, here are 4 scenarios for reference:
That said, I don't think scenario #4 matters for our discussion. Because auth0 is taking it upon itself to redirect during the authentication process (scenario #3 in this post), it needs to handle the redirect_to data appropriately in some fashion. I can appreciate your hesitance on changing the redirect logic. I'm not asking for an immediate fix, I have my workaround. Chew on the alternatives for a while and find the best solution that fits auth0's architecture. I don't think there are any side effects, and there are some indications that other auth0 devs didn't see any problems. The auth0 shortcode is trying to do this - it's using wp_redirect as opposed to wp_safe_redirect. Maybe that dev author will have some insight? |
Any update on this? This is a lower priority than my other ticket (#867). |
Hi @aap-jmedema 👋 Thanks for your patience. Please review my follow up to the other thread, as this issue is in the same basket. We would recommend forking the plugin to accomodate the necessary change, or migrating to v5. |
Tying back to auth0 ticket https://support.auth0.com/tickets/01966888 and copying in most of the ticket and summarizing here so we haven't lost any context.
Our wordpress site is set up using https://www.somedomain.com as the main site URL and home URL. However, it also accepts traffic destined to https://somedomain.com (no www). When you access a page at https://somedomain.com/some-page WP automatically redirects to https://www.somedomain.com/some-page. However, when the Ultimate Member and Auth0 plugins are installed (a common scenario) and some-page is locked behind a non-wp-admin user login requirement, then the auth0 login process captures the request before that redirection and after login sends back the successful login notification to the incorrect URL (https://www.somedomain.com/some-page).
To replicate the issue:
I should note that Wordpress, without Ultimate Member, has only a basic login infrastructure. The user states are "not logged in" or "logged in as an admin", and in the latter case after login redirects you to https://somedomain.com/wp-admin regardless of your original page. The Ultimate Member plugin enables non-admin users, which in turn enables us to redirect users post-login to whatever page they were trying to access. It may be possible to replicate the invalid state issue without installing the UM plugin, I haven't tried to boil it down that far.
In order to understand the root cause of this invalid state issue, I'll walk through the login process:
To fix this, any one of three things needs to be changed in the auth0 plugin:
I have implemented my fix #1 (redirecting to https://home_url() . $_SERVER['REQUEST_URI']) outside of auth0 as a separate plugin for now as a temporary workaround, which has been in place in production for 2 weeks without issues. Here is the plugin content for reference:
// todo: doesn't re-POST data yet
function aap_auth0_forward_www()
{
if ("https://" . $_SERVER['SERVER_NAME'] != get_home_url(null, null, 'https'))
{
wp_redirect( get_home_url(null, null, 'https') . $_SERVER['REQUEST_URI'] );
exit;
}
}
// note the higher priority to pre-empt auth0
add_action( 'plugins_loaded', 'aap_auth0_forward_www', 5, 0);
The text was updated successfully, but these errors were encountered: