I’ve been searching around here and the website, but I’m stuck, so sorry if these are obvious questions.
I’m trying to setup Auth0 on a wordpress site, using the plugin with a custom “social” connection. The oauth host holds our user records as part of a different system.
1 - The oauth host we are using requires us to provide them with a redirect URI, I’ve currently set it to my own domain, but it’s not working (I get a page not found error). I think(?) that the host should redirect to auth0 first, is that correct? if so, what would the correct URI be to give my host?
2 - Is there a way to force the user to use the Oauth client as default, i.e. don’t show the normal email / password form on the wp-login page (unless i use the WLE option)?
3 - Is there a way to set this up so Auth0 doesn’t require a user, and gives anonymous access to wordpress? I don’t want to create user records on auth0 or my wordpress database, as it would duplicate records, and would be a data protection issue.
Thanks for reading, please let me know if I can provide more information.
For custom OAuth connections the callback URL you should provide to the upstream OAuth authorization server is https://YOUR_DOMAIN/login/callback; see (Connect Apps to Generic OAuth2 Authorization Servers) for reference information on this.
In relation to having Wordpress only using the social connection it should be a matter of ensuring that for the client application that either you or the plugin created in the Auth0 tenant to represent the Wordpress Auth0 plugin only has the social connection enabled. If it’s showing additional options to login, like username/password than the most common explanation would be that a database connection is also enabled for that application.
The last question, from my interpretation, if you just configured the Auth0 Wordpress plugin then the user won’t be forced to authenticate into Wordpress itself unless you employed other methods to force it. In other words, by using the plugin you’re replacing the login page with Auth0, but that by itself does not force the login so it should still be possible to access the site without logging in unless there’s something else preventing it.
The YOUR_DOMAIN placeholder in https://YOUR_DOMAIN/login/callback is meant to be a host name (domain) that points to the Auth0 tenant service which will then do another redirect to the client application domain. I’m assuming that www.hopechurchglasgow.org.uk is a domain for the client application itself so you should change it to be the one for your tenant.