VOOZH about

URL: https://deepwiki.com/auth0/wordpress/2.2-auth0-application-setup

⇱ Auth0 Application Setup | auth0/wordpress | DeepWiki

Loading...
Loading...
Menu

Auth0 Application Setup

This page guides you through creating and configuring an Auth0 Application in the Auth0 Dashboard. This is a prerequisite for using the WordPress plugin, as the plugin requires an Auth0 Application's credentials (Domain, Client ID, and Client Secret) to function. This page covers only the Auth0 side of the setup; for WordPress plugin configuration, see WordPress Plugin Configuration. For installation instructions, see Installation.

Prerequisites

Before proceeding, you must have an Auth0 account. If you don't have one, you can create a free account.

Creating an Auth0 Application

The plugin requires a Regular Web Application type in Auth0:

  1. Navigate to the Applications section in your Auth0 Dashboard
  2. Click "Create Application"
  3. Choose "Regular Web Application" as the application type
  4. Click "Create"

After creation, Auth0 will display the application's Settings page where you'll configure all required parameters.

Sources: README.md100-105

Application Credentials

Three credentials from the Auth0 Application Settings page are required for WordPress plugin configuration:

CredentialLocationPurpose
DomainSettings → Basic InformationAuth0 tenant domain (e.g., tenant.auth0.com or tenant.region.auth0.com)
Client IDSettings → Basic InformationPublic identifier for the application
Client SecretSettings → Basic InformationPrivate key for authenticating API requests

These values will be entered into the WordPress plugin configuration as described in WordPress Plugin Configuration. The plugin stores these in the wp_options table under the auth0_client option key and uses them to build the SdkConfiguration object that initializes the Auth0-PHP SDK.



Sources: README.md107-109


URL Configuration


The WordPress site's URLs must be registered in the Auth0 Application to enable the authentication flow. These URLs are configured in the Application Settings page.


Determining WordPress URLs


Before configuring Auth0, obtain these URLs from your WordPress installation:






















URL TypeLocation in WordPressDescription
WordPress AddressSettings → GeneralURL where WordPress core files reside
Site AddressSettings → GeneralURL visitors use to access the site


These URLs must match what visitors actually use to access your site. Common issues:


    

  • If using a reverse proxy, manually configure these URLs to match the public-facing URL
    • 

  • Ensure the protocol (HTTP vs HTTPS) matches your actual site configuration
    • 

  • For sites behind SSL termination, these should reflect HTTPS
    • 



Sources: README.md110-125


Required URL Settings


Configure the following URL fields in the Auth0 Application Settings:


Allowed Callback URLs


Format: https://your-wordpress-address/wp-login.php


This is where Auth0 redirects users after authentication. The plugin's Authentication::onLogin method handles requests to this URL during the callback phase.


Critical: The wp-login.php URL must never be cached. Caching this URL will cause "invalid state" errors during authentication because the state validation will fail.


Allowed Web Origins


Format: Both WordPress Address and Site Address URLs (without paths)


Example:


https://example.com, https://www.example.com



These origins are used for Cross-Origin Resource Sharing (CORS) validation during certain authentication operations.


Allowed Logout URLs


Format: Your WordPress Address URL


This is where Auth0 redirects users after logout. The plugin's Authentication::onLogout method initiates logout and redirects to this URL.




Sources: README.md112-119


Application Type Configuration


The Auth0 Application must be configured as a Regular Web Application. This application type is designed for server-side web applications where the source code is not publicly exposed, allowing secure storage of the Client Secret.


Verification: In Application Settings → Basic Information, confirm "Application Type" shows "Regular Web Application".


Sources: README.md132


Token Endpoint Authentication Method


The Token Endpoint Authentication Method must be set to Post.


This setting controls how the application authenticates when exchanging the authorization code for tokens at Auth0's /oauth/token endpoint. The Post method sends credentials in the request body rather than as Basic Authentication headers.


Location: Application Settings → Application Properties → Token Endpoint Authentication Method


Sources: README.md133


Advanced Settings


Several advanced settings are required for the plugin to function correctly. These settings are found by scrolling down on the Application Settings page and expanding the "Advanced Settings" panel.


OAuth Settings


Navigate to Advanced Settings → OAuth tab:






















SettingRequired ValuePurpose
JsonWebToken Signature AlgorithmRS256Asymmetric signing algorithm for ID tokens. The plugin validates these signatures using Auth0's public keys.
OIDC ConformantEnabledEnsures the application uses OpenID Connect (OIDC) standards for authentication flows.


The RS256 algorithm allows the plugin to validate ID tokens without needing the Client Secret, improving security.


Grant Types


Navigate to Advanced Settings → Grant Types tab and enable:
































Grant TypeRequiredPurpose
ImplicitYesAllows token retrieval directly from the authorization endpoint (used in certain authentication scenarios)
Authorization CodeYesPrimary grant type for server-side web applications. Used during the main authentication flow.
Client CredentialsYesAllows the plugin to obtain access tokens for calling the Auth0 Management API during user synchronization
Refresh TokenOptionalEnables the plugin to refresh expired access tokens without requiring re-authentication


The Authorization Code grant is used during the login flow when Authentication::onLogin exchanges the authorization code for tokens. The Client Credentials grant is used by Sync actions when synchronizing user data to Auth0 via the Management API.




Sources: README.md137-144


CORS Configuration


The Allowed Origins (CORS) field under Application Settings should be left blank.


The plugin operates as a server-side application and does not make client-side JavaScript requests to Auth0's API endpoints that would require CORS configuration. The Allowed Web Origins field (configured in URL Configuration above) handles the necessary origin validation for the authentication flow.


Sources: README.md134


Verification Checklist


Before proceeding to WordPress plugin configuration, verify your Auth0 Application is configured correctly:


Basic Settings


    

  •  Application Type: Regular Web Application
    • 

  •  Token Endpoint Authentication Method: Post
    • 

  •  Domain, Client ID, and Client Secret are visible and noted
    • 



URLs


    

  •  Allowed Callback URLs includes https://your-wordpress-address/wp-login.php
    • 

  •  Allowed Web Origins includes both WordPress Address and Site Address
    • 

  •  Allowed Logout URLs includes WordPress Address
    • 

  •  Allowed Origins (CORS) is empty
    • 



Advanced Settings → OAuth


    

  •  JsonWebToken Signature Algorithm: RS256
    • 

  •  OIDC Conformant: Enabled
    • 



Advanced Settings → Grant Types


    

  •  Authorization Code: Enabled
    • 

  •  Implicit: Enabled
    • 

  •  Client Credentials: Enabled
    • 

  •  Refresh Token: Enabled (optional, but recommended)
    • 



Next Steps


After completing Auth0 Application setup, proceed to WordPress Plugin Configuration to enter these credentials into the WordPress Dashboard and enable authentication.


For testing the complete authentication flow, see First Login Test.


Sources: README.md130-145