Why does Wordpress Auth0 plugin require implicit grant type even when implicit flow is disabled?

We’ve just integrated Wordpress with Auth0 using the Auth0 plugin. The “Implicit Login Flow” setting in the Auth0 plugin is switched off. However, when I switch off the implicit flow in my Auth0 Application → Advanced Settings → Grant Types, I start getting errors in the logs (Failed Silent Auth: “description”: “Grant type ‘implicit’ not allowed for the client.”). Indeed, when I look at the network traffic in Fiddler I can see that a request with response_type=token is made from a file called iframe-handler.js.

Why does the Wordpress Auth0 plugin need to make these implicit flow requests when the implicit flow is explicitly (pardon the pun) switched off in the Auth0? I’d rather not use the implicit flow at all and switch it off in the Auth0 settings.

Hi @james.bateson … if you have SSO on but Universal Login Page (ULP) off, both on the Features tab of the settings screen) then the plugin will attempt to log you in using the implicit flow when you visit wp-login.php (you can see it in the Network tab in your browser as well). Either switch off SSO or switch off ULP and those calls will stop. SSO will start using the ULP in the next major version of the plugin anyways, partly to avoid this.

implicit flow is explicitly (pardon the pun)


1 Like

Thanks for your reply. We have both SSO and Universal Login Page switched ON. Do you still expect the implicit flow to be used in these circumstances?

Do you have Single Log Out turned on? That would also generate a call, it just occurred to me (and will be removed in an upcoming version as well).

If that’s off then we’ll need to figure out where you’re navigating to generate that call.

Yes - we have single logout enabled.

Thanks for your help. It’s good to know it’s working as intended. We look forward to the future version.

It’s good to know it’s working as intended.

As originally intended but possibly not as currently recommended :slight_smile:

Since your Auth0 Application does not allow the grant and you’re using the ULP, I would just turn SSO and SLO off. SSO is not being used if ULP is on and SLO is not possible with your configuration.