Troubleshoot Login by Auth0 WordPress Plugin

Here are some common troubleshooting questions. If the items below do not solve your issue, then consider the following alternatives:

I'm seeing the error message "Invalid state" that prevents me from logging in

State validation is a security feature added in version 3.6.0. A cached callback URL usually causes this error message (see your Application settings for the callback URLs that should not be cached). To learn more, read Troubleshoot WordPress Plugin Invalid State Errors.

I'm having an issue logging in or changing email/password using a custom database

To learn about possible solutions, read User Migration in Login by Auth0 WordPress Plugin.

I'm seeing the error message "Invalid ID token" or "Expired ID token" that prevents me from logging in

This is typically caused by a server set to an incorrect time. If the error message includes "used too early," then your server time is set in the future. If it says that the token is expired, then the server time is set too far in the past. A difference in time between two servers is common. Output echo date(DateTime::ISO8601) in PHP on your server and compare that, including seconds, to the current UTC time. If your server's time is more than 60 seconds (the default leeway) off from UTC time, then you’ll need to set a longer leeway to account for your server’s clock skew. You can paste the below code in your theme's functions.php or anywhere else that would run it after the plugin loads and before the login hook runs:

add_filter( 'auth0_jwt_leeway', function( $default_leeway ) { return 120; } );

Was this helpful?

/

This would provide a 120 second leeway. You may need to adjust this depending upon how skewed your server's time is.

I see the error message "This account does not have an email associated..." that prevents me from logging in

If you get this error, make sure you are requesting an email from each provider in the Auth0 Dashboard under Connections > Social (expand each provider). Take into account that not all providers return email addresses for users (e.g., X). If this happens, you can always add an Email address to any logged in user through the Auth0 Dashboard (or API). See Users > Edit.

For Connections that don't provide an email_verified flag (some Enterprise connections will not include this) or to skip this validation for specific Social Connections, add the strategy for that Connection in the "Skip Strategies" field. This field is located below the Require Verified Email switch accessible via wp-admin > Auth0 > Settings > Advanced.

This field should only be used if necessary because it circumvents the security precautions recommended by Auth0.

I see the error message "There is a user with the same email" that prevents me from logging in

This means that there is a user in WordPress that has the same email as the one being used to login associated with a different Auth0 user. If you're in the process of testing the plugin or want to associate the existing user with the new Auth user instead:

  1. Log in as an admin

  2. Go to wp-admin > Users and search for the email being used

  3. View the user's profile and scroll down to the bottom

  4. Click Delete Auth0 Data and confirm

If you have 2 user accounts in Auth0 with the same email address, this error message will persist. We recommend that you link user accounts.

I see the error message "Failed cross origin authentication" or "No verifier returned from client" in my browser's console logs when trying to log in

Go to Auth0 Dashboard > Applications > Applications, select your WordPress application to view its settings, and check that the Allowed Callback URLs and Allowed Origins (CORS) match your WordPress site.

If you're using a Chromium-based browser, make sure you don't have third-party cookies turned off. To learn more, read Cross-Origin Authentication.

I need to rerun the Setup Wizard, but I don't see that menu option anymore.

This means that the plugin is already configured with a Domain, Client ID, and Client Secret. Running the Setup Wizard a second time can have unpredictable results. If you're setting up WordPress for the first time and want to start over before any logins have occurred:

  1. Go to wp-admin > Auth0 > Settings > Basic.

  2. Delete the Domain and Client ID. Scroll down and click Save Changes.

  3. Go to Auth0 Dashboard > Applications > Applications.

  4. Find the Application that was created by WordPress (its name should be the site name of your WordPress site).

  5. Select the Application to view its settings. Scroll down, and select Delete Application.

  6. Go to Auth0 Dashboard > Authentication > Database.

  7. Find the Connection that was created by WordPress (its name should be the site name of your WordPress site prepended with "DB-").

  8. Select the Connection to view its settings. Scroll down, and select I Want To Delete This Connection. Please note that this will delete the Connection and all users that were created within it.

  9. Return to WordPress. You will now see the Setup Wizard option under Auth0 in the admin menu.

How do I setup Passwordless login?

Passwordless login is possible any Auth0-enabled website using email or SMS. To make this work on your WordPress site:

  1. Turn on Passwordless Login from the plugin settings' Features view and save.

  2. Go to Auth0 Dashboard > Authentication > Passwordless.

  • To use email, turn on the Email connection and modify the settings if desired. This will turn on email code login (users are emailed a code which is then typed into the login form on your site).

  • To use a "magic link" (emailed link will automatically log users in), add {passwordlessMethod: 'code'} to the "Extra Settings" field in the plugin settings' Advanced tab.

  • To use SMS login, turn on the SMS connection and follow the steps to set up a Twilio developer account (this will require a paid Twilio account depending on usage).

The Auth0 login form will select a Passwordless method depending on which connection is activated above. If you have both connections active, it will default to email. In this case, either turn off the email connection to show SMS or add sms to the Connections field in the plugin settings' Advanced tab.

I have two accounts for the same user in WordPress

Under some situations, you may end up with a user with two accounts. WordPress allows you to merge users by deleting one of the accounts and attributing that account's content to another user. Go to wp-admin > Users, select the account you want to remove, and in the confirmation dialog select another user to transfer the content.

My configuration is wrong, and I can't authenticate using Auth0. Is there another way to access the plugin?

The plugin can be accessed using valid WordPress credentials through the regular WordPress login by adding ?wle to the login URL. For example: http://yourdomain.com/wp-login.php?wle.

I am having problems when a user logs in. Where can I find a log of what is happening?

The plugin provides an error log where you can check what has happened. Access it through the Error Log sub-item of the Auth0 plugin menu. You can find additional information at Auth0 Dashboard > Monitoring > Logs.

How can I show the widget or shortcode in signup mode by default?

You can use the widget Extra configuration setting (or the extra_conf attribute in the shortcode) and add this JSON {"mode":"signup" } that will force the plugin to be shown in this mode.

When using a plugin to force the login, the user is not logged in

This is typically caused by a cached page after login. Check with your host for strategies to mitigate this or try adding a cache-busting parameter to the URL. To learn more, use this gist on GitHub.

The user is not logged in when using the "Force Login" plugin

This is because the callback URL has not been added to the AllowList. Try adding this code to the my_forcelogin_whitelist filter:

function wp_auth0_forcelogin_whitelist( $whitelist ) {
  if ( ! empty( $_GET['auth0'] ) ) {
    $whitelist[] = site_url($_SERVER['REQUEST_URI']);
  }
  return $whitelist;
}
add_filter('v_forcelogin_whitelist', 'wp_auth0_forcelogin_whitelist', 10, 1);

Was this helpful?

/

How can I redirect the users to a specific URL after login?

All redirects are checked using wp_safe_redirect() before being performed. If you're trying to redirect to a domain that is not your main domain, add that domain to the check using the core WordPress allowed_redirect_hosts filter. To learn more, read apply_filters( 'allowed_redirect_hosts', string[] $hosts, string $host ) on wordpress.org.

On the login page

This plugin leverages WordPress features to work seamlessly with default settings. To add a redirect, you can append the redirect_to query parameter to the URL when you direct the user to the login page. The plugin will redirect the user to this URL after a successful login.

You can also use the Login redirection URL setting in the Auth0 plugin settings page. This will URL be used to redirect the user when the redirect_to parameter is not provided.

Using the widget

The widget will automatically redirect to the same page where the user was before authentication. You can override this using the Redirect after login: setting.

Using the shortcode

The shortcode will automatically redirect to the same page where the user was before authentication. You can override this using the redirect_to attribute.

How can I migrate my WordPress users to Auth0?

The current version of the plugin does not provide a way to migrate users to Auth0 automatically, but you have a few options:

The form_title setting is ignored when I set up the dict setting

Internally, the plugin uses the dict setting to change the Auth0 widget title. When you set up the dict field, it overrides the form_title one.

To change the form_title in this case, you need to add the following attribute to the dict JSON:

{
    "signin": {
        "title": "The desired form title"
    }
}

Was this helpful?

/

How can I modify the embedded Auth0 login form?

There are many options on the Appearance tab of the plugin settings page that can change the look and feel of the login form that is embedded on your site (wp-login/php page, shortcodes, or widgets). To learn more about these options, read Configure Login by Auth0. This will not affect the the login form on the Auth0-hosted Universal Login Page.

There is also a field called "Extra Settings" on the Advanced tab that accepts a valid JSON object with all the settings you want to configure. This will override any changes made on the Appearance tab. To see all possible configuration options, read Lock Configuration Options.

External style sheets and JS files should be loaded in your theme using the wp_enqueue_scripts hook for shortcodes/widgets and the login_enqueue_scripts hook for wp-login.php. To learn more, read do_action( 'wp_enqueue_scripts' ) on wordpress.org and do_action( 'login_enqueue_scripts' ) on wordpress.org.

The session expires too soon

The Auth0 plugin does not handle sessions; it uses the WordPress settings. By default, user sessions are kept alive for two days. You can enable the Remember users session setting on the plugin settings' Advanced tab to allow sessions to remain live for up to 14 hours.

How do I implement a Refresh Token?

We implemented additional parameters in the login methods used by the plugin to allow for Refresh Tokens. Use the auth0_auth_scope filter combined with the auth0_user_login action to accomplish this.

Profile data saved in WordPress is not being synced to the Auth0 user account.

This is a current limitation of the plugin but something we're looking at in a future release. The one exception to this is the user password. If the password is changed in WordPress and it passes the security policy set for the database connection being used, then that password will update for the Auth0 user as well. We'll be adding an error message in a future release to stop the process if the password is not strong enough.

How do I migrate from "Social Login with Auth0" to "Login by Auth0"?

Historically, Auth0 has maintained two WordPress plugins:

These two plugins are effectively the same, but Social Login with Auth will not receive any updates past version 3.7.0 (released 13 August 2018). Migrating from Social Login with Auth to Login by Auth0 is simple and won't result in any Auth0 or WordPress data loss.

Moving from Social Login with Auth to Login by Auth0 will update the version number you see, so make sure to test this change out on a staging or development server first (just as you would if you were updating the plugin in wp-admin). Furthermore, logins may not work during the migration process, so be sure to use a maintenance mode plugin or complete the migration during off-peak hours.

The easiest way to migrate is via (S)FTP:

  1. Log in to the WordPress site as an administrator.

  2. Download Login by Auth0 and unzip it locally.

  3. Deactivate the Social Login with Auth0 plugin from the WordPress admin > Plugins screen.

  4. Log in to the server you want to migrate to and navigate to wp-content/plugins.

  5. Move the social-login-with-auth0 folder out of the plugins folder to back up the contents.

  6. Upload the new auth0 plugin folder to the plugins directory.

  7. Activate the new "Login by Auth0" plugin from the WordPress Admin > Plugins screen.

If you're unable to access the site via FTP, you can also run the process directly from the WordPress admin:

  1. Log in to the WordPress site as an administrator.

  2. Go to Auth0 > Import-Export Settings.

  3. Click Export Settings, then Export.

  4. Deactivate the Social Login with Auth0 plugin from the WordPress Admin > Plugins screen.

  5. Delete the Social Login with Auth0 plugin and confirm.

  6. Go to Plugins > Add New and search for "Auth0".

  7. For the Login by Auth0 plugin (make sure to check the name), click Install Now.

  8. When this completes, click Activate.

  9. Check Auth0 > Settings and make sure the previous settings remain. If not:

    1. Go to Auth0 > Import-Export Settings.

    2. Paste in the settings JSON exported previously and click Import.

  10. Completely delete the settings file export JSON (it contains sensitive information).

Everything should now be working as expected with the new plugin and updates will resume as usual.

Learn more