Auth0 plugin disables WP Registration / Login Notifications to Admin

I can confirm that. I recieve notifications, with auth0 and wordfence plugins enabled, only if the user logs in with wordpress login form (/wp-login.php?wle) so actually omitting auth0 logic.

Sorry for the trouble here! I’m testing the latest release now and can take a quick look to see if this is something that’s easily correctable. We use all the core WordPress hooks during the login process but there might be something else we can do differently without calling any Wordfence-specific hooks. We can’t ensure that we can support functionality in other plugins but if there’s a core process we can do better with, I’m happy to support that.

I tested this out and can confirm that using the override form (?wle on the URL) does send an email but using the Auth0 embedded form or the Universal Login Page does not.

Looking a little further, I can see that the hook they use to send these is wp_login:

https://github.com/wp-plugins/wordfence/blob/master/lib/wordfenceClass.php#L500

… which we call after all successful logins using Auth0:

https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_LoginManager.php#L549

The problem, it look like, is that the action that should be sending the email is stopped if there is no $_POST object:

https://github.com/wp-plugins/wordfence/blob/master/lib/wordfenceClass.php#L855

For the default configuration, there’s not much we can do about that. It might be worth it to raise the issue with Wordfence and see why the check it there.

However, you can change how the plugin accepts callback requests from Auth0. There is a setting “Implicit Login Flow” on the Advanced tab of the Auth0 plugin settings that will request the callback information as a POST, rather than a GET. Without getting too much into the weeds here, this switches the grant that we use from Authorization Code to Implicit with form_post. In the case of this plugin, it will not change how secure the plugin is but it will stop pulling down the entire user from Auth0 for each login (data stored in usermeta). If you’re not using metadata from the Auth0 profile than this will not have any impact on your site.

I switched that on and started to get email notifications again. Give that a try and let me know if it works for you. Happy to explain more about what this change means in general but if logins work and you’re not using any Auth0-stored user data, everything should work as expected.

Hi @auth0josh ,

Thank you for the explanation.

Could you please redirect me to a resource to understand the purpose of Auth0 metadata stored in WordPress and, in general, what assessment, if any, needs to be carried out before switching to implicit login flow?

Essentially, I would like to understand what’s not available with implicit login.

For instance, would the following continue to work with implicit login flow?

1) Rules feature from the dashboard.
2) User migration with custom DB
3) Lock customization

PS: I use hosted login as well as the modal, if this info is relevant.

Kind regards,

All existing features work fine with Implicit turned on. The only place you’d want to assess is if you’re pulling data from the usermeta field populated during login. If you have any custom code that changes behavior based on the user_metadata or app_metadata in the JSON stored in [TABLE PREFIX]auth0_obj for a user, that’s the only thing that will change. If you don’t have any custom code written against the plugin, then you’ll be fine.

The warning on that setting is a bit overkill (and changing in the next version) as it’s typically used when you can’t make an outbound connection (firewall settings or similar), which might limit the site further. But if things work fine with it off, turning it on will only affect the profile data retrieved, as explained above.

Just FYI, all Rules management in the plugin is being removed in the next version as well. The Rules will function exactly as they did before but will need to be turned off and on in the Auth0 dashboard.

Hope that helps!

Thank you @auth0josh

To start receiving notifications from Wordfence, do I need to change the app type in Auth0 Dashboard as mentioned in the plugin?

Your Application should be set to “Single Page App” in your Auth0 dashboard for this setting to work properly. This will limit profile changes and other functionality in the plugin.

Kind regards

No, need need to change that. Setting description will change in the version coming out this week.

@auth0josh

Appreciate your support.

I tested the Implicit Login Flow option and this is what happens:

The Wordfence notifications work when using the hosted login page. But not with modal login (using shortcode). Could I be missing out on some config here?

Kind regards,

• This reply was modified 5 years, 11 months ago by backpackingseries.

Happy to help!

But not with modal login (using shortcode).

Can you post the exact shortcode you’re using here so I can test that out? All the forms of logging in should use the same callback.

• This reply was modified 5 years, 11 months ago by Josh C.

Sure. It’s

[auth0 show_as_modal=”1″ modal_trigger_name=”Get Started!” redirect_to=”https://www.unakriti.com/interactive-channel/”%5D

Kind regards,

@auth0josh

Update: today, the notifications are coming in with Auth0 modal (using shortcode) too.

I don’t know what explains the difference without any further change in plugin or site config. But just wanted to share this result here.

Kind regards,

Thanks for the update here. Modal works for me as well and it uses the same callback process after logging in as any other way. I did notice that if I log in a second time with the same account that a notice is not sent from Wordfence, likely to cut down on the number of email it’s sending.

Yes, that’s a likely cause.

Its all good for now.

Appreciate your support @auth0josh

Kind regards,