- If you’re setting up the plugin for the first time or having problems with users logging in, please read Configure Login by Auth0.
- If you found a bug in the plugin code, submit an issue or create a pull request in GitHub.
- If you have questions about how to use Auth0 or the plugin, please post on our community site or create a request in the plugin’s WordPress support forum.
- To see additional documentation and find more answers, visit our support site. Customers on a paid Auth0 plan can submit a trouble ticket for a fast response.
I’m seeing the error message “Invalid state” that prevents me from logging in
State validation is a security feature added in version 3.6.0. A cached callback URL usually causes this error message (see your Application settings for the callback URLs that should not be cached). To learn more, read Troubleshoot WordPress Plugin Invalid State Errors.I’m having an issue logging in or changing email/password using a custom database
To learn about possible solutions, read User Migration in Login by Auth0 WordPress Plugin.I’m seeing the error message “Invalid ID token” or “Expired ID token” that prevents me from logging in
This is typically caused by a server set to an incorrect time. If the error message includes “used too early,” then your server time is set in the future. If it says that the token is expired, then the server time is set too far in the past. A difference in time between two servers is common. Outputecho date(DateTime::ISO8601) in PHP on your server and compare that, including seconds, to the current UTC time. If your server’s time is more than 60 seconds (the default leeway) off from UTC time, then you’ll need to set a longer leeway to account for your server’s clock skew. You can paste the below code in your theme’s functions.php or anywhere else that would run it after the plugin loads and before the login hook runs:
I see the error message “This account does not have an email associated…” that prevents me from logging in
If you get this error, make sure you are requesting an email from each provider in the under Connections > Social (expand each provider). Take into account that not all providers return email addresses for users (e.g., X). If this happens, you can always add an Email address to any logged in user through the Auth0 Dashboard (or API). See Users > Edit. For Connections that don’t provide anemail_verified flag (some Enterprise connections will not include this) or to skip this validation for specific Social Connections, add the strategy for that Connection in the “Skip Strategies” field. This field is located below the Require Verified Email switch accessible via wp-admin > Auth0 > Settings > Advanced.
This field should only be used if necessary because it circumvents the security precautions recommended by Auth0.
I see the error message “There is a user with the same email” that prevents me from logging in
This means that there is a user in WordPress that has the same email as the one being used to login associated with a different Auth0 user. If you’re in the process of testing the plugin or want to associate the existing user with the new Auth user instead:- Log in as an admin
- Go to wp-admin > Users and search for the email being used
- View the user’s profile and scroll down to the bottom
- Click Delete Auth0 Data and confirm
I see the error message “Failed cross origin authentication” or “No verifier returned from client” in my browser’s console logs when trying to log in
Go to Auth0 Dashboard > Applications > Applications, select your WordPress application to view its settings, and check that the Allowed Callback URLs and Allowed Origins (CORS) match your WordPress site. If you’re using a Chromium-based browser, make sure you don’t have third-party cookies turned off. To learn more, read Cross-Origin Authentication.I need to rerun the Setup Wizard, but I don’t see that menu option anymore.
This means that the plugin is already configured with a Domain, , and . Running the Setup Wizard a second time can have unpredictable results. If you’re setting up WordPress for the first time and want to start over before any logins have occurred:- Go to wp-admin > Auth0 > Settings > Basic.
- Delete the Domain and Client ID. Scroll down and click Save Changes.
- Go to Auth0 Dashboard > Applications > Applications.
- Find the Application that was created by WordPress (its name should be the site name of your WordPress site).
- Select the Application to view its settings. Scroll down, and select Delete Application.
- Go to Auth0 Dashboard > Authentication > Database.
- Find the Connection that was created by WordPress (its name should be the site name of your WordPress site prepended with “DB-”).
- Select the Connection to view its settings. Scroll down, and select I Want To Delete This Connection. Please note that this will delete the Connection and all users that were created within it.
- Return to WordPress. You will now see the Setup Wizard option under Auth0 in the admin menu.
How do I setup Passwordless login?
login is possible any Auth0-enabled website using email or SMS. To make this work on your WordPress site:- Turn on Passwordless Login from the plugin settings’ Features view and save.
- Go to Auth0 Dashboard > Authentication > Passwordless.
- To use email, turn on the Email connection and modify the settings if desired. This will turn on email code login (users are emailed a code which is then typed into the login form on your site).
- To use a “magic link” (emailed link will automatically log users in), add {passwordlessMethod: 'code'}to the “Extra Settings” field in the plugin settings’ Advanced tab.
- To use SMS login, turn on the SMS connection and follow the steps to set up a Twilio developer account (this will require a paid Twilio account depending on usage).
sms to the Connections field in the plugin settings’ Advanced tab.
I have two accounts for the same user in WordPress
Under some situations, you may end up with a user with two accounts. WordPress allows you to merge users by deleting one of the accounts and attributing that account’s content to another user. Go to wp-admin > Users, select the account you want to remove, and in the confirmation dialog select another user to transfer the content.My configuration is wrong, and I can’t authenticate using Auth0. Is there another way to access the plugin?
The plugin can be accessed using valid WordPress credentials through the regular WordPress login by adding?wle to the login URL. For example: http://yourdomain.com/wp-login.php?wle.
I am having problems when a user logs in. Where can I find a log of what is happening?
The plugin provides an error log where you can check what has happened. Access it through the Error Log sub-item of the Auth0 plugin menu. You can find additional information at Auth0 Dashboard > Monitoring > Logs.How can I show the widget or shortcode in signup mode by default?
You can use the widgetExtra configuration setting (or the extra_conf attribute in the shortcode) and add this JSON {"mode":"signup" } that will force the plugin to be shown in this mode.
When using a plugin to force the login, the user is not logged in
This is typically caused by a cached page after login. Check with your host for strategies to mitigate this or try adding a cache-busting parameter to the URL. To learn more, use this gist on GitHub.The user is not logged in when using the “Force Login” plugin
This is because the callback URL has not been added to the AllowList. Try adding this code to themy_forcelogin_whitelist filter:
How can I redirect the users to a specific URL after login?
All redirects are checked usingwp_safe_redirect() before being performed. If you’re trying to redirect to a domain that is not your main domain, add that domain to the check using the core WordPress allowed_redirect_hosts filter. To learn more, read apply_filters( ‘allowed_redirect_hosts’, string[] host ) on wordpress.org.
On the login page
This plugin leverages WordPress features to work seamlessly with default settings. To add a redirect, you can append theredirect_to query parameter to the URL when you direct the user to the login page. The plugin will redirect the user to this URL after a successful login.
You can also use the Login redirection URL setting in the Auth0 plugin settings page. This will URL be used to redirect the user when the redirect_to parameter is not provided.
Using the widget
The widget will automatically redirect to the same page where the user was before authentication. You can override this using theRedirect after login: setting.
Using the shortcode
The shortcode will automatically redirect to the same page where the user was before authentication. You can override this using theredirect_to attribute.
How can I migrate my WordPress users to Auth0?
The current version of the plugin does not provide a way to migrate users to Auth0 automatically, but you have a few options:- The plugin exposes two endpoints to mark your custom database connection for import to Auth0 mode. To learn more about the endpoints, read Configure Automatic Migration from Your Database. You can use these plugin scripts to set up your connection.
- Export your user data to a JSON file and upload it for batch-import into Auth0. Initially, your users will have to reset their passwords when logging in using Auth0 because there is no way for Auth0 to decrypt the WordPress passwords during migration. To learn how to generate the JSON file, read Bulk User Imports. Then you will need to upload the file using the Auth0 ’s Import Users endpoint.
- Use this script and the WordPress XML RPC endpoint to set up the migration flow using a custom database connection. To learn more about setting up the migration flow, read Configure Automatic Migration from Your Database. To learn more about the WordPress XML RPC endpoint, read XML-RPC Support on wordpress.org.
The form_title setting is ignored when I set up the dict setting
Internally, the plugin uses the dict setting to change the Auth0 widget title. When you set up the dict field, it overrides the form_title one. To change the form_title in this case, you need to add the following attribute to the dict JSON:How can I modify the embedded Auth0 login form?
There are many options on the Appearance tab of the plugin settings page that can change the look and feel of the login form that is embedded on your site (wp-login/php page, shortcodes, or widgets). To learn more about these options, read Configure Login by Auth0. This will not affect the the login form on the Auth0-hosted  Page.
There is also a field called “Extra Settings” on the Advanced tab that accepts a valid JSON object with all the settings you want to configure. This will override any changes made on the Appearance tab. To see all possible configuration options, read Lock Configuration Options.
External style sheets and JS files should be loaded in your theme using the wp_enqueue_scripts hook for shortcodes/widgets and the login_enqueue_scripts hook for wp-login.php. To learn more, read do_action( 'wp_enqueue_scripts' ) on wordpress.org and do_action( 'login_enqueue_scripts' ) on wordpress.org.
The session expires too soon
The Auth0 plugin does not handle sessions; it uses the WordPress settings. By default, user sessions are kept alive for two days. You can enable theRemember users session setting on the plugin settings’ Advanced tab to allow sessions to remain live for up to 14 hours.
How do I implement a Refresh Token?
We implemented additional parameters in the login methods used by the plugin to allow for . Use theauth0_auth_scope filter combined with the auth0_user_login action to accomplish this.
Profile data saved in WordPress is not being synced to the Auth0 user account.
This is a current limitation of the plugin but something we’re looking at in a future release. The one exception to this is the user password. If the password is changed in WordPress and it passes the security policy set for the database connection being used, then that password will update for the Auth0 user as well. We’ll be adding an error message in a future release to stop the process if the password is not strong enough.How do I migrate from “Social Login with Auth0” to “Login by Auth0”?
Historically, Auth0 has maintained two WordPress plugins: These two plugins are effectively the same, but Social Login with Auth will not receive any updates past version 3.7.0 (released 13 August 2018). Migrating from Social Login with Auth to Login by Auth0 is simple and won’t result in any Auth0 or WordPress data loss. Moving from Social Login with Auth to Login by Auth0 will update the version number you see, so make sure to test this change out on a staging or development server first (just as you would if you were updating the plugin in wp-admin). Furthermore, logins may not work during the migration process, so be sure to use a maintenance mode plugin or complete the migration during off-peak hours. The easiest way to migrate is via (S)FTP:- Log in to the WordPress site as an administrator.
- Download Login by Auth0 and unzip it locally.
- Deactivate the Social Login with Auth0 plugin from the WordPress admin > Plugins screen.
- Log in to the server you want to migrate to and navigate to wp-content/plugins.
- Move the social-login-with-auth0folder out of the plugins folder to back up the contents.
- Upload the new auth0plugin folder to the plugins directory.
- Activate the new “Login by Auth0” plugin from the WordPress Admin > Plugins screen.
- Log in to the WordPress site as an administrator.
- Go to Auth0 > Import-Export Settings.
- Click Export Settings, then Export.
- Deactivate the Social Login with Auth0 plugin from the WordPress Admin > Plugins screen.
- Delete the Social Login with Auth0 plugin and confirm.
- Go to Plugins > Add New and search for “Auth0”.
- For the Login by Auth0 plugin (make sure to check the name), click Install Now.
- When this completes, click Activate.
- 
Check Auth0 > Settings and make sure the previous settings remain. If not:
- Go to Auth0 > Import-Export Settings.
- Paste in the settings JSON exported previously and click Import.
 
- Completely delete the settings file export JSON (it contains sensitive information).