@michael.knigge - I just took a look at this and I don’t think there’s anything we can do on our end without adding custom code just for this plugin (which is not a practice we want to get into). We use a custom callback URL to check for errors and log the user in, if the attempt at Auth0 was successful. That URL is just like any other URL for the plugin and it gets redirected before the Auth0 login can happen.
That said, it looks like there is a filter in the restrict access plugin you can use to pass the Auth0 request through, restricted_site_access_is_restricted. If you want to be cautious, you’ll want to check a few values (included below) but it is spoofable if someone suspects you’re using this (meaning, someone could see your homepage if they try hard enough):
/**
* Play nicely with Restricted Site Access.
*
* @param bool $is_restricted - Original $is_restricted value
* @param WP $wp - WP object.
*
* @return mixed
*/
function auth0_mu_hook_restricted_site_access_is_restricted( $is_restricted, $wp ) {
if (
! empty( $wp->query_vars['auth0'] )
&& empty( $wp->query_vars['page'] )
&& $_COOKIE['auth0_state'] === $wp->query_vars['state']
) {
return false;
}
return $is_restricted;
}
add_filter( 'restricted_site_access_is_restricted', 'auth0_mu_hook_restricted_site_access_is_restricted', 100, 2 );
If this is just temporarily restricted (non-sensitive information, demoing a site, etc), you can remove the 2nd and 3rd check (will mean that any page with a non-empty auth0 URL param can see any page.