Missing id_token after login (hosted login, wordpress)

I’m using the latest wp-auth0 plugin, and getting users to log in via the hosted login page. It’s a custom one using auth0.js 8, though actually I also have the same problem if I turn that off and use the default.

Login works, and users are sent to Page Not Found. When they arrive at wordpress, the code is exchanged OK, but then while the response has an access_token in it, there is no id_token.

I have tried asking response_type=token instead of code, but wp-auth0 seems to require a code - I get missing parameter code if I do that.

I’m sure I’ve missed something, but I’m not sure what. Does wp-auth0 have specific requirements about the OAuth scopes, audiences, etc that it needs before login?

Side note: I have a passwordless connection that works perfectly, but for the life of me I can’t workout the difference. Any help would be lovely :slight_smile:

I’ve been reading up on the Authorisation Code Grant flow at Call Your API Using the Authorization Code Flow, and as far as I can tell the problem is that there is no id_token in the Access Token exchange.

As I’m using the default hosted login page, the only place I can think of to tweak is my /authorize URL, which is currently https://mytenant.eu.auth0.com/authorize?client_id=abc123&response_type=code&redirect_uri=http://mydomain.com/index.php?auth0=1. I’ve tried adding &audience=https://mytenant.eu.auth0.com/api/v2/ as well, but no change

I worked it out. I was missing the scope in my authorize call. If I change to https://mytenant.eu.auth0.com/authorize?client_id=abc123&response_type=code&redirect_uri=http://mydomain.com/index.php?auth0=1&scope=openid+profile+email it works.

YAY!

Glad to hear that Floppy!