While Social Login works fine, I am not able to login using email and password. Lock says ‘Wrong Username or Password’.
This is a new installation and I’ve copied the login and get user scripts made available in one of the threads of this forum.
The login script test under custom database fails with the same error message.
However, the user exists in WordPress and the password is correct. I can login using the same set of credentials with the default WordPress login form. Besides, the site allows for anyone to register. The Lock url is https://www.backpackingseries.com/wp-login.php
Edit: The alternate import/export extension to migrate WordPress users fails with a something like ‘required property not found: email’. The JSON file, exported from mySQL does have a user-email field. Is this a limitation of the free / trial version?
Sorry for the trouble @backpackingseries … did you try the troubleshooting steps in that thread? Did you do the automated setup with user migration or manually build out the script from that thread.
I would lean towards that script being incorrect if it fails in both places. If you can paste your script here (minus any sensitive data like the migration token), that might be helpful.
Yes, I did the manual configuration (because automatic failed) of creating application, database connection, etc. following Auth0’s tutorial docs and then looked up support threads. Here are the scripts I took from the Github link mentioned in the thread referred to above.
Login Script:
function login (email, password, callback) {
var request = require("request");
request.post("https://www.backpackingseries.com/index.php?a0_action=migration-ws-login", {
form:{username:email, password:password, access_token:"_secretaccesstoken_"},
}, function(error, response, body){
if ( error ) {
return callback(error);
}
var info = JSON.parse(body);
if (info.error) {
callback();
} else {
var profile = {
user_id: info.data.ID,
username: info.data.user_login,
email_verified: true,
email: info.data.user_email,
name: info.data.display_name
};
callback(null, profile);
}
});
}
Get User Script:
function getByEmail (email, callback) {
var request = require("request");
request.post("https://www.backpackingseries.com/index.php?a0_action=migration-ws-get-user", {
form:{username:email, access_token:"_secretaccesstoken_"},
}, function(error, response, body){
if ( error ) {
return callback(error);
}
var info = JSON.parse(body);
if (info.error) {
callback(null);
} else {
var profile = {
user_id: info.data.ID,
username: info.data.user_login,
email: info.data.user_email,
name: info.data.display_name,
email_verified: true
};
callback(null, profile);
}
});
}
What am I missing? Could you please advice on the correct way?
The best bet, in my mind, is to debug that script in the Auth0 dashboard by using console.log() and trying the 2 scripts. Keep in mind that it’s matching on email so that’s what you’ll need to use to log in.
Before I head in that direction of console.log, I just wanted to verify whether how I input the access token generated from WordPress Auth0 plugin is correct way.
When I toggle the switch for User Migration in WordPress Auth0 plugin and save the configuration, it shows an error message that manual config is required and also shows a long token. However, the token is greyed out and I cannot copy/paste it. I had to manually enter it in the Login script in Auth0 Dashboard. For the length of that token, it can be a painful process!
Is it how the developers intended it to be? Or is something wrong with my WordPress Auth0 plugin setup?
As I continue to troubleshoot, over the past few days, I have noticed the following type of entries in the error log in WordPress - Auth0 plugin
WP_Auth0_Routes::migration_ws_login 0 Algorithm not allowed WP_Auth0_Routes::migration_ws_get_user 0 Signature verification failed, check "Client Secret Base64 Encoded" value matches your Auth0 client. WP_Auth0_Api_Client::create_rule Account-Linking-Do-Not-Rename-Backpacking-Series unknown_code {"statusCode":401,"error":"Unauthorized","message":"Expired token received for JSON Web Token validation","attributes":{"error":"Expired token received for JSON Web Token validation"}} WP_Auth0_Api_Client::get_token http_request_failed cURL error 6: name lookup timed out
I tried
Toggle signing algorithm (HS/RS256) in dashboard and WP plugin - no success.
Regenerating Access Token manually via Management API Explorer - no success
Set API Token at /api/v2 - no change
Verified Client Secret Base64 Encoded is disabled
Unauthorize the default API Explorer App and use the tenant-created App instead (verified scopes) - This disabled the option to manually regenerate access token in the API Explorer tab of management API. So I re-enabled it. When I verify the scopes, the default API Explorer App has none. Whereas the tentant-created app has scopes as per the config guide / tutorial.
Forgot to add, I have defined a constant for MIGRATION_WS option (with a value of access token from Auth0 Dashboard → Management API → API Explorer) to rule out error in manually updating the value in DB Login script. After the constant, the DB Login Script error message changed from ‘Wrong email or password’ to ‘Unexpected end of JSON input’.
Oh, that’s no good. What browser are you using? Yes, it’s supposed to be disabled but I am able to copy that. Might be a cross-browser problem with using a disabled textarea element. I’ll look into a better way to output that.
It sounds like you might have that token entered incorrectly into Auth0. Can you Inspect Element and copy directly out of the DOM? Also sounds like your API token is not valid based on that Create Rule entry. Keep in mind that the API token is different from the migration token. The API token allows the WP site to communicate with the Management API for various tasks. The migration token is what allows users to authenticate with Auth0 using your WP database.
Sounds like you might have the 2 tokens criss-crossed. If you want to set a constant for the migration token, set AUTH0_ENV_MIGRATION_TOKEN equal to the token on the Advanced tab for User Migration:
Then make sure that’s the same in your DB scripts.
For the API token, generate that at Auth0 Dashboard > Management API > API Explorer and set the constant AUTH0_ENV_AUTH0_APP_TOKEN. Should see this in the admin if that worked:
OK, I see where the error is happening but I’m not sure why it’s happening. It’s saying that the JWT algorithm for your migration token is incorrect but when it’s created, it’s forced to HS256, which is what it’s checked against.
Can you go here:
… and paste your migration token in there to decode it. The header should be:
When I paste the migration token in the box titled ‘Encoded’, that box turns red and I see a message underneath saying ‘Invalid Signature’. However, the header and payload are exactly as you expected.
Kind regards
PS: I have verified both Auth0 Dashboard and WordPress plugin is set to RS256 and not HS256.
… but if the token you’re using is HS256, as it shows in that JWT tool, then that error doesn’t make a lot of sense. You could try adding ‘RS256’ to the array in that third parameter to see if you can get anywhere. Otherwise, I’d start debugging around there to see what’s going on.
Sorry, but if I may continue to seek guidance on this issue, I want to clarify:
Does it matter for user migration process if the Default-App in Auth0 dashboard is deleted and instead, I’m using a tentant-created App with the default database? Should user migration work as designed in such a scenario?
Actually, few users registered on my site with the config set to ‘use my own DB’. What I mean is these are new users and not old WP users whom I am unable to migrate. But, if I try to toggle it OFF, it says something like ‘delete the users first’.
Does it mean that, after the trial period (2 more weeks), I lose the new user accounts or they will not be able to login using the Lock form?
I’m a little confused … you mentioned that the custom DB option was not there but it sounds like it is? If it is there then you’re fine, that won’t be removed for anyone who doesn’t have it but might not be included for new accounts in the future (sorry if that’s a little confusing).
My apologies. This is what the setup looks like at the moment.
Auth0 Dashboard - Connection for database is setup as follows: Settings:
Requires username - Yes.
Import Users to Auth0 - Yes
Disable Signups - No
Password Policy: Yes
Custom Database:
Use my Own Database: Yes
Database Action Scripts:
Login Script: As provided above
Get User Script: As provided above
[Try button returns an error: Wrong username or password]
Applications Using this Connection:
API Explorer Application - Yes
[Tentant’s] Application - Yes
Try Connection:
It Works - When new Auth0 user tries to login
Fails - When old WordPress user tries to login.
Thank you for the clarification that users registered using Auth0 lock form will not be removed after the trial period.
Sorry, I am not sure if I understood this - “but might not be included for new accounts in the future”.