Problem statement

An app has been configured as a Regular Web Application.

WordPress is configured to use the Auth0 Plugin. The application has been configured to use both Embedded Login and a Passwordless email connection.

Use of an Embedded Login fails with the error:

Client Authentication is required

However, normal logins that get triggered by the default wp-login.php work as expected.

Troubleshooting

Search the Tenant Logs

Search the tenant logs for evidence of failed login attempts

1. Login to the Auth0 dashboard.
2. Navigate Monitoring > Logs.
3. Enter this query string into the search box: “description”: “Client authentication is required”.
4. Execute the search query to find instances of this specific type of login failure.

Generate a HAR file

1. Capture the failed login flow in a HAR file for analysis. For guidance, refer to Generate and Analyze HAR files.
2. Review the contents of the HAR file to determine the cause of the failure.

Cause

When using an embedded login page, the application will use the Lock SDK by default. However, as this is embedded, it is running in the user’s browser and not on a backend. Therefore, it will not have access to the client’s secret.

In this specific case, the Lock-powered login page is attempting to call the /passwordless/start endpoint without sending a client secret.

The issue here is that the client is set to be a regular web application , which has the token endpoint authentication method set to "client secret (Post) " by default - thus it requires the client secret to be passed in this configuration for the passwordless login attempt. In these circumstances, it is expected that the login will fail.

NOTE: this situation can arise when the Wizard is used to install the plugin. Generally, the plugin expects the target application to be configured in a certain way. However, the Wizard does not allow for the fact that Embedded Login and Passwordless connections may be used by the application.

Solution

Changing the application’s credentials setting to "none " should allow users to login via the embedded page. The outcome is that they will successfully call /passwordless/start, though without passing the client secret. For more information, refer to Credential Settings

However, there are some disadvantages to this approach:

• Auth0 does not recommend using embedded login pages where possible, as it has some security drawbacks. For details refer to Central Universal Login v. Embedded Login
• Changing to using a non-authenticated flow (not passing the client secret) will result in a reduction in the rate limits on the /passwordless/start endpoint to 50 an hour per IP address. For details, refer to Rate-Limit Policy

Related References

• Integrate with Wordpress
• Install Login by Auth0
• Configure Login by Auth0
• Passwordless Authentication with Embedded Login
• Using Passwordless APIs