Added Lock 11 / Auth0 9.0, Updated SSO, JWT Algorithm Upgrade Fixes

README.md

@@ -182,7 +182,6 @@ And can be customized by adding the following parameters:
 * social_big_buttons: boolean
 * gravatar: boolean
 * username_style: string, "email" or "username"
-* remember_last_login: boolean
 * icon_url: string (valid url)
 * extra_conf: string, valid json
 * show_as_modal: boolean

WP_Auth0.php

@@ -2,16 +2,16 @@
 /**
  * Plugin Name: PLUGIN_NAME
  * Description: PLUGIN_DESCRIPTION
- * Version: 3.3.2
+ * Version: 3.4.0
  * Author: Auth0
  * Author URI: https://auth0.com
  */
 define( 'WPA0_PLUGIN_FILE', __FILE__ );
 define( 'WPA0_PLUGIN_DIR', trailingslashit( plugin_dir_path( __FILE__ ) ) );
 define( 'WPA0_PLUGIN_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) );
 define( 'WPA0_LANG', 'wp-auth0' ); // deprecated; do not use for translations
-define( 'AUTH0_DB_VERSION', 14 );
-define( 'WPA0_VERSION', '3.3.2' );
+define( 'AUTH0_DB_VERSION', 15 );
+define( 'WPA0_VERSION', '4.0.0' );
 
 /**
  * Main plugin class

lib/WP_Auth0_Api_Client.php

@@ -225,9 +225,14 @@ public static function create_client( $domain, $app_token, $name ) {
 							home_url( '/wp-login.php' )
 						),
 						"allowed_origins"=>array(
-							home_url( '/wp-login.php' ),
-							admin_url( '/admin.php?page=wpa0-setup&step=2&profile=social' )
+							home_url( '/wp-login.php' )
+						),
+						"jwt_configuration" => array(
+							"alg" => "RS256"
 						),
+						"app_type" => "regular_web",
+						"cross_origin_auth" => true,
+						"cross_origin_loc" => home_url('/index.php?auth0fallback=1','https'),
 						"allowed_logout_urls" => array(
 							$logout_url
 						),
@@ -246,7 +251,21 @@ public static function create_client( $domain, $app_token, $name ) {
 			return false;
 		}
 
-		return json_decode( $response['body'] );
+		$response = json_decode( $response['body'] );
+
+		// Workaround: Can't add `web_origin` on create
+		$payload = array(
+			"web_origins" => array(home_url())
+		);
+		$updateResponse = WP_Auth0_Api_Client::update_client($domain, $app_token, $response->client_id, false, $payload);
+
+		if ( $updateClient instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::create_client', $updateResponse );
+			error_log( $updateResponse->get_error_message() );
+			return false;
+		}
+
+		return $response;
 	}
 
 	public static function search_clients( $domain, $app_token ) {
@@ -277,7 +296,7 @@ public static function search_clients( $domain, $app_token ) {
 		return json_decode( $response['body'] );
 	}
 
-	public static function update_client( $domain, $app_token, $client_id, $sso ) {
+	public static function update_client( $domain, $app_token, $client_id, $sso, $payload = array() ) {
 
 		$endpoint = "https://$domain/api/v2/clients/$client_id";
 
@@ -289,9 +308,7 @@ public static function update_client( $domain, $app_token, $client_id, $sso ) {
 		$response = wp_remote_post( $endpoint  , array(
 				'method' => 'PATCH',
 				'headers' => $headers,
-				'body' => json_encode( array(
-						'sso' => $sso,
-					) )
+				'body' => json_encode( array_merge(array( 'sso' => boolval($sso)), $payload) )
 			) );
 
 		if ( $response instanceof WP_Error ) {
@@ -749,44 +766,44 @@ protected function convertCertToPem($cert) {
 
   public static function JWKfetch($domain) {
 
-		$a0_options = WP_Auth0_Options::Instance();
+	$a0_options = WP_Auth0_Options::Instance();
 
-    $endpoint = "https://$domain/.well-known/jwks.json";
+	$endpoint = "https://$domain/.well-known/jwks.json";
 
     $cache_expiration = $a0_options->get('cache_expiration');
 
-		if ( false === ($secret = get_transient('WP_Auth0_JWKS_cache') ) ) {
+	if ( false === ($secret = get_transient('WP_Auth0_JWKS_cache') ) ) {
 
-			$secret = [];
+		$secret = [];
 
-			$response = wp_remote_get( $endpoint, array() );
+		$response = wp_remote_get( $endpoint, array() );
 
-			if ( $response instanceof WP_Error ) {
-				WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::JWK_fetch', $response );
-				error_log( $response->get_error_message() );
-				return false;
-			}
-
-			if ( $response['response']['code'] != 200 ) {
-				WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::JWK_fetch', $response['body'] );
-				error_log( $response['body'] );
-				return false;
-			}
+		if ( $response instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::JWK_fetch', $response );
+			error_log( $response->get_error_message() );
+			return false;
+		}
 
-			if ( $response['response']['code'] >= 300 ) return false;		
+		if ( $response['response']['code'] != 200 ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::JWK_fetch', $response['body'] );
+			error_log( $response['body'] );
+			return false;
+		}
 
-			$jwks = json_decode($response['body'], true);
+		if ( $response['response']['code'] >= 300 ) return false;		
 
-			foreach ($jwks['keys'] as $key) { 
-				$secret[$key['kid']] = self::convertCertToPem($key['x5c'][0]);
-      }
+		$jwks = json_decode($response['body'], true);
 
-      if ($cache_expiration !== 0) {
-      	set_transient( 'WP_Auth0_JWKS_cache', $secret, $cache_expiration * MINUTE_IN_SECONDS );
-    	}
+		foreach ($jwks['keys'] as $key) { 
+			$secret[$key['kid']] = self::convertCertToPem($key['x5c'][0]);
+		}
 
+		if ($cache_expiration !== 0) {
+			set_transient( 'WP_Auth0_JWKS_cache', $secret, $cache_expiration * MINUTE_IN_SECONDS );
 		}
 
-    return $secret;
 	}
+
+  return $secret;
+  }
 }

lib/WP_Auth0_DBManager.php

@@ -35,28 +35,6 @@ public function install_db() {
 
 		$cdn_url = $options->get( 'cdn_url' );
 
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-6' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.1.min.js' );
-		}
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-8' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.1.min.js' );
-		}
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-9.0' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.1.min.js' );
-		}
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-9.1' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.2.min.js' );
-		}
-		if ( strpos( $cdn_url, '10.0' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock/10.3/lock.min.js' );
-		}
-		if ( strpos( $cdn_url, '10.1' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock/10.3/lock.min.js' );
-		}
-		if ( strpos( $cdn_url, '10.2' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock/10.3/lock.min.js' );
-		}
-
 		if ( $this->current_db_version <= 7 ) {
 			if ( $options->get( 'db_connection_enabled' ) ) {
 
@@ -141,6 +119,27 @@ public function install_db() {
 		}
 	}
 
+	if ( $this->current_db_version < 15 ) {
+		$options->set('use_lock_10', true);
+		$options->set('cdn_url', '//cdn.auth0.com/js/lock/11.0.0/lock.min.js');
+		$options->set('auth0js-cdn', '//cdn.auth0.com/js/auth0/9.0.0/auth0.min.js');
+		$options->set('cache_expiration', 1440);
+
+		// Update Client
+		$client_id = $options->get( 'client_id' );
+		$domain = $options->get( 'domain' );
+		if (!empty($client_id) && !empty($domain)) {
+			$app_token = $options->get( 'auth0_app_token' );
+			$sso = $options->get( 'sso' );
+			$payload = array(
+				"cross_origin_auth" => true,
+				"cross_origin_loc" => home_url('/index.php?auth0fallback=1','https'),
+				"web_origins" => array(home_url())
+			);
+			$updateClient = WP_Auth0_Api_Client::update_client($domain, $app_token, $client_id, $sso, $payload);
+			$options->set('client_signing_algorithm', 'HS256');
+		}
+	}
 		$this->current_db_version = AUTH0_DB_VERSION;
 		update_option( 'auth0_db_version', AUTH0_DB_VERSION );
 	}

lib/WP_Auth0_Lock10_Options.php

@@ -156,10 +156,6 @@ protected function build_settings( $settings ) {
     if ( $this->_is_valid( $settings, 'username_style' ) ) {
       $options_obj['usernameStyle'] = $settings['username_style'];
     }
-    if ( $this->_is_valid( $settings, 'remember_last_login' ) ) {
-      $options_obj['rememberLastLogin'] = $this->_get_boolean( $settings['remember_last_login'] );
-    }
-
     if ( $this->_is_valid( $settings, 'sso' ) ) {
       $options_obj['auth']['sso'] = $this->_get_boolean( $settings['sso'] );
     }

lib/WP_Auth0_Lock_Options.php

@@ -155,9 +155,6 @@ protected function build_settings( $settings ) {
 		if ( $this->_is_valid( $settings, 'username_style' ) ) {
 			$options_obj['usernameStyle'] = $settings['username_style'];
 		}
-		if ( $this->_is_valid( $settings, 'remember_last_login' ) ) {
-			$options_obj['rememberLastLogin'] = $this->_get_boolean( $settings['remember_last_login'] );
-		}
 		if ( $this->_is_valid( $settings, 'sso' ) ) {
 			$options_obj['sso'] = $this->_get_boolean( $settings['sso'] );
 		}

lib/WP_Auth0_LoginManager.php

@@ -26,7 +26,7 @@ public function init() {
     add_action( 'wp_login', array( $this, 'end_session' ) );
     add_action( 'login_init', array( $this, 'login_auto' ) );
     add_action( 'template_redirect', array( $this, 'init_auth0' ), 1 );
-    add_action( 'wp_footer', array( $this, 'auth0_sso_footer' ) );
+    //add_action( 'wp_footer', array( $this, 'auth0_sso_footer' ) );
     add_action( 'wp_footer', array( $this, 'auth0_singlelogout_footer' ) );
     add_filter( 'login_message', array( $this, 'auth0_sso_footer' ) );
   }
@@ -73,6 +73,7 @@ public function auth0_singlelogout_footer( $previous_html ) {
       return;
     }
 
+    $lock_options = new WP_Auth0_Lock10_Options();
     $cdn = $this->a0_options->get('auth0js-cdn');
     $client_id = $this->a0_options->get( 'client_id' );
     $domain = $this->a0_options->get( 'domain' );

lib/WP_Auth0_Options.php

@@ -43,31 +43,27 @@ public function get_default($key) {
 		return $defaults[$key];
 	}
 
-
-
-	public function get_client_secret_as_key() {
+	public function get_client_secret_as_key($legacy = false) {
 		$secret = $this->get('client_secret', '');
 
-    $isEncoded = $this->get('client_secret_b64_encoded', false);
-
-    $isRS256 = $this->get_client_signing_algorithm() === 'RS256';
-
-    if ( $isRS256 ) {
-    	$domain = $this->get( 'domain' );
+		$isEncoded = $this->get('client_secret_b64_encoded', false);
+		$isRS256 = $legacy ? false : $this->get_client_signing_algorithm() === 'RS256';
 
-    	$secret = WP_Auth0_Api_Client::JWKfetch($domain);
-
-  	} else {
-  		$secret = $isEncoded ? JWT::urlsafeB64Decode($secret) : $secret;
-  	}
+		if ( $isRS256 ) {
+			$domain = $this->get( 'domain' );
+			$secret = WP_Auth0_Api_Client::JWKfetch($domain);
+		} else {
+			$secret = $isEncoded ? JWT::urlsafeB64Decode($secret) : $secret;
+		}
 
 		return $secret;
 	}
 
 	public function get_client_signing_algorithm() {
-			$client_signing_algorithm = $this->get('client_signing_algorithm', '');
+			$client_signing_algorithm = $this->get('client_signing_algorithm', 'RS256');
 			return $client_signing_algorithm;
 	}
+
 	protected function defaults() {
 		return array(
 			'version' => 1,
@@ -77,7 +73,7 @@ protected function defaults() {
 			'auto_login_method' => '',
 			'client_id' => '',
 			'client_secret' => '',
-			'client_signing_algorithm' => 'HS256',
+			'client_signing_algorithm' => 'RS256',
 			'cache_expiration' => 1440,
 			'client_secret_b64_encoded' => null,
 			'domain' => '',
@@ -89,8 +85,8 @@ protected function defaults() {
 			'passwordless_enabled' => false,
 			'passwordless_method' => 'magiclink',
 			'passwordless_cdn_url' => '//cdn.auth0.com/js/lock-passwordless-2.2.min.js',
-			'use_lock_10' => null,
-			'cdn_url' => '//cdn.auth0.com/js/lock/10.7/lock.min.js',
+			'use_lock_10' => true,
+			'cdn_url' => '//cdn.auth0.com/js/lock/11.0.0/lock.min.js',
 			'cdn_url_legacy' => '//cdn.auth0.com/js/lock-9.2.min.js',
 			'requires_verified_email' => true,
 			'wordpress_login_enabled' => true,
@@ -104,7 +100,6 @@ protected function defaults() {
 			'social_big_buttons' => false,
 			'username_style' => '',
 			'extra_conf' => '',
-			'remember_last_login' => true,
 			'custom_css' => '',
 			'custom_js' => '',
 			'auth0_implicit_workflow' => false,
@@ -143,9 +138,8 @@ protected function defaults() {
 			'auto_provisioning' => false,
 			'default_login_redirection' => home_url(),
 
-      'auth0_server_domain' => 'auth0.auth0.com',
-
-			'auth0js-cdn' => '//cdn.auth0.com/js/auth0/8.2.0/auth0.min.js',
+      		'auth0_server_domain' => 'auth0.auth0.com',
+			'auth0js-cdn' => '//cdn.auth0.com/js/auth0/9.0.0/auth0.min.js',
 
 			//DASHBOARD
 			'chart_idp_type' => 'donut',