 |
VOOZH | about |
|
VOOZH | about |
This page details the complete authentication process in the Auth0 WordPress plugin, from initial login redirect through token exchange, user resolution, and session establishment. This covers how users authenticate via Auth0 Universal Login and how their identity is synchronized with WordPress.
For information about plugin initialization and SDK configuration, see Plugin Initialization and Bootstrap. For details about background user synchronization, see User Synchronization.
The authentication flow is managed primarily by the Authentication action class, which registers hooks for login, logout, session validation, and account management. The flow follows the OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange), coordinating between WordPress, Auth0's cloud platform, and the plugin's custom database tables.
Sources: src/Actions/Authentication.php1-726 README.md10-13
The plugin intercepts authentication at multiple WordPress hooks:
| Hook | Method | Purpose |
|---|---|---|
init | onInit() | Validates and maintains active sessions on every request |
login_form_login | onLogin() | Handles wp-login.php access and callback processing |
auth0_login_callback | onLogin() | Custom hook for programmatic login initiation |
login_form_logout | onLogout() | Processes logout requests |
auth0_logout | onLogout() | Custom hook for programmatic logout |
The registry of these hooks is defined in the Authentication class's $registry property.
Sources: src/Actions/Authentication.php22-51
Title: Complete Authentication Flow Sequence
Sources: src/Actions/Authentication.php433-551 src/Actions/Authentication.php660-724
The token exchange happens in the onLogin() method when the callback URL contains both code and state query parameters.
Title: Token Exchange Decision Flow
The exchange process occurs at src/Actions/Authentication.php474-501:
getSdk()->getRequestParameter('code') and getSdk()->getRequestParameter('state')getSdk()->exchange(code, state) exchanges the authorization code for tokensauth0_token_exchange_failed hook is triggered at line 499Sources: src/Actions/Authentication.php474-501 src/Actions/Authentication.php553-558
The resolveIdentity() method determines which WordPress user corresponds to an authenticated Auth0 identity. This is a critical security boundary.
Title: User Identity Resolution Decision Tree
The resolution follows a strict priority order defined in src/Actions/Authentication.php660-724:
auth0_accounts table for exact sub matchemail_verified is true, lookup by email address
auth0_accountspair_sessions=0 can bypass strict modeaccounts.missing='create', create new WordPress user
sub identifierwp_generate_password()accounts.default_role configurationSources: src/Actions/Authentication.php660-724 src/Actions/Configuration.php41-82
The auth0_accounts table maintains the relationship between WordPress user IDs and Auth0 connection identifiers (the sub claim).
| Column | Type | Description |
|---|---|---|
id | BIGINT | Auto-increment primary key |
site | TINYINT | WordPress network ID (for multisite) |
blog | BIGINT | WordPress blog ID (for multisite) |
user | BIGINT | WordPress user ID (foreign key to wp_users.ID) |
auth0 | TEXT | Auth0 connection identifier (user's sub claim) |
Sources: src/Database.php101-118
Title: Account Connection Management Operations
The createAccountConnection() method at src/Actions/Authentication.php53-88 stores the mapping:
wp_cache with key auth0_account_{hash(connection)}SELECT from auth0_accounts to check for existing mappingINSERT new row with user, site, blog, and auth0 valueswp_cache and transient for 120 secondsThe getAccountByConnection() method at src/Actions/Authentication.php111-154 retrieves users:
SELECT user FROM {prefix}auth0_accounts WHERE site=%d AND blog=%d AND auth0="%s"WP_User object or nullSources: src/Actions/Authentication.php53-154 src/Database.php101-118
The onInit() method runs on every WordPress request to validate session consistency between WordPress and Auth0.
Title: Session Validation Flow (onInit)
The authentication.pair_sessions configuration controls session validation strictness:
| Value | Constant | Behavior |
|---|---|---|
0 | Non-administrators | Pairing enforced for all users except administrators |
1 | All users (Recommended) | Pairing enforced for all users including administrators |
2 | Disabled | No session pairing validation |
When pairing is enforced:
wp_logout() calledgetSdk()->clear() calledgetSdk()->renew() attemptedSources: src/Actions/Authentication.php353-431 src/Actions/Configuration.php200-211
The plugin supports two session storage mechanisms configured via sessions.method:
Session data is stored in encrypted browser cookies using the CookieStore implementation from the Auth0 SDK. The cookie secret from cookies.secret is used for encryption.
Configuration: src/Plugin.php312-318
Session data is stored in PHP's native session mechanism. This requires proper PHP session configuration for security and reliability.
Sources: src/Actions/Configuration.php273-326
When sessions.rolling_sessions is enabled (not 'false'), the onShutdown() method extends session lifetime on each request:
Title: Rolling Session Update Flow
This ensures both the Auth0 SDK session and WordPress authentication cookie are refreshed on every request, preventing premature expiration during active use.
Sources: src/Actions/Authentication.php573-589 src/Actions/Configuration.php306-315
The plugin registers handlers for WordPress's cookie validation hooks to maintain session consistency:
| Hook | Handler | Action Taken |
|---|---|---|
auth_cookie_malformed | onAuthCookieMalformed() | Clear Auth0 SDK session |
auth_cookie_expired | onAuthCookieExpired() | Clear Auth0 SDK session |
auth_cookie_bad_username | onAuthCookieBadUsername() | Clear Auth0 SDK session |
auth_cookie_bad_session_token | onAuthCookieBadSessionToken() | Clear Auth0 SDK session |
auth_cookie_bad_hash | onAuthCookieBadHash() | Clear Auth0 SDK session |
All handlers call getSdk()->clear() to invalidate the Auth0 session when WordPress detects an invalid authentication cookie.
Sources: src/Actions/Authentication.php194-262
The logout process clears both WordPress and Auth0 sessions:
Title: Logout Sequence
The onLogout() method at src/Actions/Authentication.php560-565:
wp_logout() to destroy the WordPress sessiongetSdk()->logout(get_site_url()) to get Auth0's logout URLreturnTo parameter set to the WordPress site URLSources: src/Actions/Authentication.php560-565
The plugin supports bypassing Auth0 login via a secret URL parameter for emergency access:
When authentication.allow_fallback is enabled and the correct authentication.fallback_secret is provided, the onLogin() method returns early, allowing WordPress's native login form to be displayed.
Configuration: src/Actions/Authentication.php443-452 src/Actions/Configuration.php212-227
Sources: src/Actions/Authentication.php443-452
The plugin supports OIDC Back-Channel Logout for coordinated session termination:
When a back-channel logout request is received with valid credentials, getSdk()->handleBackchannelLogout() processes the logout token and terminates the session.
Configuration: src/Actions/Configuration.php391-430
Sources: src/Actions/Authentication.php454-469 CHANGELOG.md28-35
When getSdk()->exchange() throws an exception at src/Actions/Authentication.php492-501:
error_log()auth0_token_exchange_failed is triggeredonExchangeFailed() handler redirects to homepageWhen Auth0 returns an error (via ?error query parameter), the user is redirected to the homepage without attempting authentication.
Refresh this wiki