Where are the id & access tokens stored

@dedicatedmanagers – So, two things here.

To answer your question about where they are stored, they are not actually stored anywhere because they are not used in the plugin beyond authentication. That said, you can use the auth0_user_login hook that fires once the user is logged in to store or use the access, ID, or refresh (if requested) token that’s returned:

https://auth0.com/docs/cms/wordpress/extending#auth0_user_login

As for how you want to use it … the ID token is only meant for the WordPress application. Anywhere else you send that should reject it based on the token’s audience (which is the client ID for that site). That should not be used to prove authentication anywhere else.

If you tell me a bit more about the API that you need the user to access, I can point you in the right direction for the documentation that can help out.

Wow… thanks for the quick and thorough reply!

So here’s my scenario… I have a UI/app built in VueJS that accesses a custom “services layer” API that is built in the Dotnet framework. When the VueJS/UI app talks to the dotnet app, it sends the Auth0 id_token to a REST endpoint at the Dotnet Services Layer to retrieve the users current “points” which the VueJS app then displays (among other things) to the user.

The VuJS UI/app needs to send the user over to WordPress (or vice versa) using single sign on, which I’ve got working.

The WordPress instance (which will ultimately use WooCommerce) needs to access the services layer (dotnet framework) to also get the user’s “points” value to display to the user.

Thanks for any help. I’m happy to clarify futher.

• This reply was modified 5 years, 11 months ago by DedicatedManagers.

Happy to help!

However you’re doing it, the .NET API should not be accepting ID tokens meant for another application to control access. That API should be secured with access tokens issued by Auth0 for both the Vue app and WordPress. We have .NET quickstarts for this here:

https://auth0.com/docs/quickstart/backend

Since WordPress can store secrets, you can use client credential and pass whatever user data needed in your request:

https://auth0.com/docs/flows/guides/client-credentials/call-api-client-credentials

Alternatively, you can add add the API’s audience to the authorization request in WordPress to get back an access token specifically for that API if you want one scoped only for that user. Where you add that in the plugin depends on how you’re logging in, with the Universal Login Page (recommended) or embedded on your site).

The single page app will need to get an access token using an implicit grant, which is explained here:

https://auth0.com/docs/flows/guides/implicit/call-api-implicit

Quickstart for Vue is here:

https://auth0.com/docs/quickstart/spa/vuejs

Thanks for the reply. We are using the backend quickstart (dotnet) and the front end quickstart (spa/vuejs).

Can you explain the excerpt below a bit further? We are using the Universal Login page. So how/where would I implement this?

Alternatively, you can add add the API’s audience to the authorization request in WordPress to get back an access token specifically for that API if you want one scoped only for that user. Where you add that in the plugin depends on how you’re logging in, with the Universal Login Page (recommended) or embedded on your site).

You’ll want to add your audience to the array that’s filtered here:

https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_LoginManager.php#L612

There’s an example here:

https://auth0.com/docs/cms/wordpress/extending#auth0_authorize_url_params