Auth0 Home Blog Docs

Invalid Client or Secret when saving in Wordpress

wordpress
client-secret

#1

Hi I can’t get this working with Wordpress due to the error in the title. I’ve created a client and copied it all correctly. A var dump shows this :

{“error”:“access_denied”,“error_description”:“Non-global clients are not allowed access to APIv1”}

I also can’t get the automatic setup working as the “.well-known/…” returns a 404 on every site I try it on.


#2

Please update the question with the exact version of the Wordpress plugin you’re using and the sequence of steps you perform after plugin installation that causes the error in question.


#3

If I goto setup wizard and click automatic it bombs out. This is the url it’s sending it to : https://auth0.auth0.com/authorize?client_id=https%3A%2F%2Facademy.collab365.community&response_type=code&redirect_uri=https%3A%2F%2Facademy.collab365.community%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpa0-setup%26callback%3D1?ope=create%3Aclients+update%3Aclients+update%3Aconnections+create%3Aconnections+read%3Aconnections+create%3Arules+delete%3Arules+read%3Ausers+update%3Ausers+create%3Ausers+update%3Aguardian_factors&expiration=9999999999&state=social Wordpress v4.8.1 (Multisite) | Plugin v3.2.23


#4

If I try to do it manually (by entering the Client ID and Secret) then the error I get in the logs is ‘Non-global clients are not allowed access to APIv1’.


#5

I have exactly the same problem.
I dived into the code and compared with the API test code provided in the dashboard.

It seems that there is a new problem with the API version in the wordpress plugin.
I tried adding (I do not recommend doing this on your site, it was just for a test)
$body’audience’] = “https://your_domain/api/v2/”;
in the get_token function of WP_Auth0_Api_Client.php
and I could validate my client id and client secret in the wordpress plugin …

It makes me think there is a now problem with the API V1 and the wordpress plugin …


#6

If I goto setup wizard and click automatic it bombs out. This is the url it’s sending it to : https://auth0.auth0.com/authorize?client_id=https%3A%2F%2Facademy.collab365.community&response_type=code&redirect_uri=https%3A%2F%2Facademy.collab365.community%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpa0-setup%26callback%3D1?ope=create%3Aclients+update%3Aclients+update%3Aconnections+create%3Aconnections+read%3Aconnections+create%3Arules+delete%3Arules+read%3Ausers+update%3Ausers+create%3Ausers+update%3Aguardian_factors&expiration=9999999999&state=social Wordpress v4.8.1 (Multisite) | Plugin v3.2.23


#7

If I try to do it manually (by entering the Client ID and Secret) then the error I get in the logs is ‘Non-global clients are not allowed access to APIv1’.


#8

I have exactly the same problem.
I dived into the code and compared with the API test code provided in the dashboard.

It seems that there is a new problem with the API version in the wordpress plugin.
I tried adding (I do not recommend doing this on your site, it was just for a test)
$body’audience’] = “https://your_domain/api/v2/”;
in the get_token function of WP_Auth0_Api_Client.php
and I could validate my client id and client secret in the wordpress plugin …

It makes me think there is a now problem with the API V1 and the wordpress plugin …


#9

@markjones333 and @minhsang.vo please don’t provide additional information as answers as that will remove the question from the unanswered queue which reduces its visibility. In this case I got notified because of my previous comment, but in other situations the question may move completely out of radar.

In relation to the issue itself, I’ll need to try to replicate the situation. I confess that the times I configure Wordpress with Auth0 I do it by creating the client application in the Dashboard itself and then just setting the necessary configuration for login.


#10

@markjones333 and @minhsang.vo I reproduced the situation and there’s at least one issue with how the client information is being validated, basically the situation that @minhsang.vo went through in the previous comment. Having said that the information still seemed to get saved and I could proceed to login a user using that client info. I already discussed this internally so that the method of validation can be updated, however, you may want to try to ignore that validation message as I did a quick test and proceeded to login with a user using that client info and I had no issues.


#11

The underlying situation that caused the error about the invalid client identifier or secret has already been addressed and if you update the Wordpress Auth0 plugin to version 3.2.25 you should no longer experience this situation.

In addition and as noted in the comments, although the validation warning was being triggered the actual data was still being saved and you could still complete the configuration and configure end-user authentication; the issue was only specific to how the client info was being validated so even previous versions of the plugin will work although you’ll have to ignore the validation warning.


#12

Cheers. I have also had to hack the url-rewrite rule to get it to discover the .well-known path but then it blew up later.

I am going to give up on it tbh, burnt 2 days of my life already trying to debug it. I was trying it out to use across our network of sites, just to see if it works then would have paid to upgrade to developer. However, now I’ve lost confidence. I need a solution where support is on the ball and the plug-in is buggy.


#13