I have been trying to setup the auth0 plugin on a Wordpress site and am experiencing issues after the login.
After using the login form I am successfully authenticated and the redirect begins. However during the redirect I get a 500 internal server error and receive the following response.
I have not been able to find any mention of someone else receiving similar errors and have a feeling it could be related to a plugin issue. Not sure if anyone can think of a reason that the auth0 plugin would be behaving this way (a setting? etc.) or if it is most likely an error with a plugin conflict?
Hi @mmorry ⊠apologies for the trouble here, Iâm happy to help figure out whatâs going on.
You mentioned the 500 error but are you seeing an error message in your browser? When something goes wrong during the callback (AKA: right after redirection to your site) you should see a message of some kind telling you what the problem is.
There were a number of changes to how errors were handled during the callback, as well as an additional security check added that might be causing the problem. We added state verification in version 3.6.0 and have had one other report of it failing during callback with the message âInvalid state.â The issue there was the callback URL being cached on the host. The fix was to stop caching the site URL (/index.php on a regular install) if it has an auth0 URL parameter on there.
If thatâs not the error message, let me know what error message youâre seeing along with:
PHP version used
plugin version used
any error messages in the JS console on the login page
I am only seeing a blank page in the browser after I login, and when I open the dev tools I can see a 500 error during a network process (index.php?auth0=1âŠetc.). If I reload the page I see a invalid state message on the screen, I wasnât sure if that error was because of me refreshing the page though.
@mmorry - OK that still tells us something. It sounds like there is an error that weâre not catching. Your PHP version is fine so no problems there.
Can you check your Auth0 plugin error log as well as your PHP error log and let me know if something is showing up there around the time when youâre logging in? Also, if you can test with WP_DEBUG on (dev/test install), that would be helpful as well. That should show whatâs failing.
Okay so there are no errors showing up in the auth0 error log when I login. In the auth0 dashboard I can see that the user is logging in as well.
I turned on debug and it came back with an error saying Callback URL mismatch. After checking in the applications page I noticed that the mismatch was coming from the www being missing from the Allowed Callback URLs. I added these into the application settings and now when I login it goes straight to the page below instead of hanging on a blank page.
After this since I was still getting an error I tried with debug on again and received the following error which I am currently trying to work through:
Fatal error: Uncaught exception âBeforeValidExceptionâ with message âCannot handle token prior to (iat) 2018-06-25T22:54:05+0000â in /var/www/site-name.com/wp-content/plugins/auth0/lib/php-jwt/Authentication/JWT.php:93 Stack trace: #0 /var/www/site-name.com/wp-content/plugins/auth0/lib/WP_Auth0_LoginManager.php(235): JWT::decode(âeyJ0eXAiOiJKV1QâŠâ, Array, Array) #1 /var/www/site-name.com/wp-content/plugins/auth0/lib/WP_Auth0_LoginManager.php(157): WP_Auth0_LoginManager->redirect_login() #2 [internal function]: WP_Auth0_LoginManager->init_auth0(ââ) #3 /var/www/site-name.com/wp-includes/class-wp-hook.php(286): call_user_func_array(Array, Array) #4 /var/www/site-name.com/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(ââ, Array) #5 /var/www/site-name.com/wp-includes/plugin.php(453): WP_Hook->do_action(Array) #6 /var/www/site-name.com/wp-includes/template-loader.php(12): do_action(âtemplate_redireâŠâ) #7 /var/www/site-name.com/wp-blog-header.php(19): require_once(â/var/www/simbleâŠâ) #8 /var/www in /var/www/site-name.com/wp-content/plugins/auth0/lib/php-jwt/Authentication/JWT.php on line 93
After looking at the previous error, it looks like it probably could have something to do with the auth0_state cookie value being deleted somewhere along the way and having the expiry set to an old date (see original photos) which is then throwing the error 'Cannot handle token prior to âŠ"
Okay so there are no errors showing up in the auth0 error log when I login.
Is that the Auth0 dashboard error log or the one in wp-admin > Auth0 > Error Log? This is definitely a callback issue on the WP site. If you end up on that URL then the Auth0 authentication passed.
I turned on debug and it came back with an error saying Callback URL mismatch
Was it in a nice WP error display (like the screenshot here) or just unformatted black text on white? Do you see that error message in the URL?
now when I login it goes straight to the page below instead of hanging on a blank page.
That shows after the redirect now? Thatâs a security feature added in 3.6.0 and relies on having a cookie set on login and validated on the callback. Can your hosting setup and see if that callback URL is cached?
Fatal error: Uncaught exception âBeforeValidExceptionâ with message âCannot handle token prior to (iat) 2018-06-25T22:54:05+0000â
That usually happens if your serverâs time is not set properly. Itâs saying that the token you got was generated before the current time, which could only happen if one of the two times are off (itâs not Auth0âs or our service wouldnât work ). Check what echo current_time( 'c' ) outputs on your server.
That said, we definitely need some error handling there and Iâll make to add that in the upcoming patch release.
I was looking at the error log in the wp-admin > Auth0 > Error Log.
It was just unformatted black text on white. I donât see anything reflected in the url.
Yes it is showing up now after I login. However it does not seem to be completely consistent, this could just be due to me testing this while debugging though.
Sorry but I am not quite sure what you mean by this?
The time format I am outputting is: 2018-06-26T00:41:22+00:00.
I have continued debugging and have been unable to get the âBeforeValidExceptionâ to show up again. Instead I am just seeing the formatted screen with:
âThere was a problem with your login: Invalid State [error code: unknown]â
Just updating in regards to the âBeforeValidExceptionâ.
I have been debugging and the redirect_login() always fails when decoding the id_token (JWT::decode()) with the time exception. When I look at the timestamps that are being compared there is todays date and a date in July 1974 which is why it is failing at this point.
However I am not sure why the state is being returned with an invalid date. You mentioned that stopping caching the site URL when it has an auth0 parameter in it could potentially be fix. Could you advise/point me in a direction about how to go about this in Wordpress? Sorry, I am quite new to Wordpress and am just getting familiar with how it works.
The ID token error is unrelated to state. Iâm not sure exactly why that was happening but weâre adding better error handling so, at the very least, you get a better failure message. Login will still fail in that condition but it will give a more helpful message. Tracking that here:
I have gone through the troubleshooting article you put together.
All the steps came out successful and I continued to debug the plugin and it turns out the time on our WordPress is running 5 minutes behind the current time which was causing the âBeforeValidExceptionâ. I modified the plugin to add an offset temporarily but will have to look into fixing the current time as well.
I use wpengine to host my site and they do not allow caching of the main page to be turned off. Does anyone else host using wpengine that found a solution to this? Thanks for the detailed article.
Ok I just talked to WPEngine and there is no setting to disable the caching of the auth0_state cookie, but if you reach out to their support team, they will disable caching for it manually and it all works!
Thanks for the input, @johnb! Weâve worked with WP-Engine with customers before and have been able to resolve any caching issues directly with them. If you can get them to exclude the callback URL from caching, then you should be fine!
Same issue here. My wordpress site just started blocking out validated users and now I the only error message I get is âThere was a problem with your log in: Invalid state [error code: unknown]â Iâve followed all of the steps and Iâm working with my hosting company exclude the cookie from being cached, but my issue is that it works on my staging server and not my production server. My staging server has no issues, but the production server just stopped working altogether when it was working fine up until yesterday⊠need some help please. Thanks.
but my issue is that it works on my staging server and not my production server. My staging server has no issues, but the production server just stopped working altogether when it was working fine up until yesterday⊠need some help please.
This is most definitely caching. WP-Engine and other hosts turn caching off or down so troubleshooting issues (not related to caching) is easier. Have them turn of caching completely for the callback URLs in your Application settings.
Iâm getting this error as well, but not with Wordpress. Users get a 500 error on my redirected PHP page sporadically, I cannot seem to reproduce the error myself. When this happens, my nginx error log shows a similar entry as above:
PHP message: PHP Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /var/www/blah.com/vendor/auth0/auth0-php/src/Auth0.php:444
Looking through your tutorial on troubleshooting, I made the following changes to my setup:
Added a version of my redirect page sans www.
Added no cache headers to my redirect page.
Iâve not seen the error in my logs since making these two changes. Since this bug is intermittent I cannot reliably verify itâs been resolved for me. Going to keep an eye on the logs. @josh.cunningham Should I start a new thread since my situation doesnât involve WP?
@Ben_Smith - Yes, that would be great. Thatâs with the PHP SDK so add a new thread here if you need guidance on that (tagged php) or an Issue on GitHub if you find the specific problem