Missing id_token after login (hosted login, wordpress)

I’m using the latest wp-auth0 plugin, and getting users to log in via the hosted login page. It’s a custom one using auth0.js 8, though actually I also have the same problem if I turn that off and use the default.

Login works, and users are sent to http://mydomain.com/index.php?auth0=1&code=abc123. When they arrive at wordpress, the code is exchanged OK, but then while the response has an access_token in it, there is no id_token.

I have tried asking response_type=token instead of code, but wp-auth0 seems to require a code - I get missing parameter code if I do that.

I’m sure I’ve missed something, but I’m not sure what. Does wp-auth0 have specific requirements about the OAuth scopes, audiences, etc that it needs before login?

Side note: I have a passwordless connection that works perfectly, but for the life of me I can’t workout the difference. Any help would be lovely :slight_smile:

I’ve been reading up on the Authorisation Code Grant flow at https://auth0.com/docs/api-auth/tutorials/authorization-code-grant, and as far as I can tell the problem is that there is no id_token in the Access Token exchange.

As I’m using the default hosted login page, the only place I can think of to tweak is my /authorize URL, which is currently https://mytenant.eu.auth0.com/authorize?client_id=abc123&response_type=code&redirect_uri=http://mydomain.com/index.php?auth0=1. I’ve tried adding &audience=https://mytenant.eu.auth0.com/api/v2/ as well, but no change

I worked it out. I was missing the scope in my authorize call. If I change to https://mytenant.eu.auth0.com/authorize?client_id=abc123&response_type=code&redirect_uri=http://mydomain.com/index.php?auth0=1&scope=openid+profile+email it works.

YAY!

Glad to hear that Floppy!