Last Updated: Dec 5, 2024
Overview
An app has been configured as a Regular Web Application.
WordPress is configured to use the Auth0 Plugin. The application has been configured to use both Embedded Login and a Passwordless email connection.
Use of an Embedded Login fails with the error:
Client Authentication is required
However, normal logins that get triggered by the default wp-login.php work as expected.
Applies To
- WordPress
Cause
When using an embedded login page, the application will use the Lock SDK by default. However, as this is embedded, it is running in the user’s browser and not on a backend. Therefore, it will not have access to the client’s secret.
In this specific case, the Lock-powered login page is attempting to call the /passwordless/start endpoint without sending a client secret.
The issue here is that the client is set to be a regular web application , which has the token endpoint authentication method set to "client secret (Post) " by default - thus it requires the client secret to be passed in this configuration for the passwordless login attempt. In these circumstances, it is expected that the login will fail.
NOTE: this situation can arise when the Wizard is used to install the plugin. Generally, the plugin expects the target application to be configured in a certain way. However, the Wizard does not allow for the fact that Embedded Login and Passwordless connections may be used by the application.
Solution
Changing the application’s credentials setting to "none " should allow users to login via the embedded page. The outcome is that they will successfully call /passwordless/start, though without passing the client secret. For more information, refer to Credential Settings
However, there are some disadvantages to this approach:
- Auth0 does not recommend using embedded login pages where possible, as it has some security drawbacks. For details refer to Central Universal Login v. Embedded Login
- Changing to using a non-authenticated flow (not passing the client secret) will result in a reduction in the rate limits on the /passwordless/start endpoint to 50 an hour per IP address. For details, refer to Rate-Limit Policy