We’ve just integrated Wordpress with Auth0 using the Auth0 plugin. The “Implicit Login Flow” setting in the Auth0 plugin is switched off. However, when I switch off the implicit flow in my Auth0 Application -> Advanced Settings -> Grant Types, I start getting errors in the logs (Failed Silent Auth: “description”: “Grant type ‘implicit’ not allowed for the client.”). Indeed, when I look at the network traffic in Fiddler I can see that a request with response_type=token is made from a file called iframe-handler.js.
Why does the Wordpress Auth0 plugin need to make these implicit flow requests when the implicit flow is explicitly (pardon the pun) switched off in the Auth0? I’d rather not use the implicit flow at all and switch it off in the Auth0 settings.