Wordpress Login Error: "Client authentication is required"

rueben.tiow · January 23, 2024, 7:18pm

Last Updated: Dec 5, 2024

Overview

An app has been configured as a Regular Web Application.

WordPress is configured to use the Auth0 Plugin. The application has been configured to use both Embedded Login and a Passwordless email connection.

Use of an Embedded Login fails with the error:

Client Authentication is required

However, normal logins that get triggered by the default wp-login.php work as expected.

Applies To

WordPress

Cause

When using an embedded login page, the application will use the Lock SDK by default. However, as this is embedded, it is running in the user’s browser and not on a backend. Therefore, it will not have access to the client’s secret.

In this specific case, the Lock-powered login page is attempting to call the /passwordless/start endpoint without sending a client secret.

The issue here is that the client is set to be a regular web application , which has the token endpoint authentication method set to "client secret (Post) " by default - thus it requires the client secret to be passed in this configuration for the passwordless login attempt. In these circumstances, it is expected that the login will fail.

NOTE: this situation can arise when the Wizard is used to install the plugin. Generally, the plugin expects the target application to be configured in a certain way. However, the Wizard does not allow for the fact that Embedded Login and Passwordless connections may be used by the application.

Solution

Changing the application’s credentials setting to "none " should allow users to login via the embedded page. The outcome is that they will successfully call /passwordless/start, though without passing the client secret. For more information, refer to Credential Settings

However, there are some disadvantages to this approach:

Auth0 does not recommend using embedded login pages where possible, as it has some security drawbacks. For details refer to Central Universal Login v. Embedded Login
Changing to using a non-authenticated flow (not passing the client secret) will result in a reduction in the rate limits on the /passwordless/start endpoint to 50 an hour per IP address. For details, refer to Rate-Limit Policy

Topic		Replies	Views
Login by Auth0 (Wordpress) Passwordless OTP and Embed Get Help login-experience , login-prompt-new-experience	2	798	October 2, 2023
Login is successful but can't get in due to "Unknown client" Get Help login-experience , new-universal-login-experience	4	1311	April 14, 2023
Wordpress plugin: Signature verification failed Get Help wordpress , wordpress-login , failed-login	2	5371	March 2, 2018
Wordpress plugin: Invalid Authorization Code when logging in Get Help wordpress	8	4792	March 2, 2018
I reset my password and it will not let me into my Wordpress site. It changes my password Get Help password-reset	8	3729	March 2, 2018

Wordpress Login Error: "Client authentication is required"

Overview

Applies To

Cause

Solution

Related References

Related topics