wordpress

Full Changelog

Fixed

• Resolved an issue with corrupted JSON payloads.

Changed

• Tested against WordPress 6.5.5 w/ PHP 8.3.
• Improved translated string handling.

Fixed

• Resolved issue with ?wle parameter handling.

Fixed

• Resolves an issue in which the fallback URI secret isn't shown. #903 (HPiirainen)
• Resolves a compatibility issue with changes in WordPress 6.5 causing invalidated sessions. (evansims)

Full Changelog

Added

• Add support for Wordpress 'reauth' #877 (PeterGFernandez)

Changed

• PHP 8.0+ compatibility improvements #878 (PeterGFernandez)
• Remove Initial Setup Wizard #886 (evansims)

You can verify the signature of a downloaded release archive using OpenSSL. Download the public signing key from the GitHub repository and save it to the same directory as the .ZIP and .SIGN files provided with this release, then run the following:

openssl dgst -verify public-signing-key.pub -keyform PEM -sha256 -signature Auth0_WordPress_Plugin_4.6.0.zip.sign -binary Auth0_WordPress_Plugin_4.6.0.zip

Added

• feat(SDK-4734): Implement support for Back-Channel Logout #882 (evansims) ¹

Changed

• Bumped auth0-php dependency version range to ^8.10.
• Raised the minimum supported PHP version to 8.1.
• Confirmed support for WordPress 6.4. Updated metadata to reflect support.

[!NOTE]
¹ To use this feature, an Auth0 tenant must have support for it enabled.

Added

• Organization Name support was added for Authentication API and token handling ¹

Updated

• Bumped tested WordPress version to 6.3.0.
• Bumped auth0-php dependency version range to ^8.7.
• Updated telemetry to indicate wordpress package (previously wp-auth0.)

Note
¹ To use this feature, an Auth0 tenant must have support for it enabled. This feature is not yet available to all tenants.

Full Changelog

Added

• Cookie domain configuration to Advanced Options. #864 (evansims)
• Option to disable plugin logging. #848 (adamstraube)

Fixed

• auth0_update_meta filter not passing $value #847 (QWp6t)
• wpa0_should_create_user filter not registering with correct parameter count #843 (alyxb)

You can verify the signature of a downloaded release archive using OpenSSL. Download the public signing key from the GitHub repository and save it to the same directory as the .ZIP and .SIGN files provided with this release, then run the following:

openssl dgst -verify public-signing-key.pub -keyform PEM -sha256 -signature Auth0_WordPress_Plugin_4.5.0.zip.sign -binary Auth0_WordPress_Plugin_4.5.0.zip

Full Changelog

Fixed

• Resolves an issue which sometimes prevented the plugin from being activated on WordPress 6

Full Changelog

Introducing V5 of WP-Auth0 ("Login by Auth0"), a major redesign and upgrade to our WordPress integration plugin. V5 includes many new features and changes:

• WordPress 6 and PHP 8 support
• Integration with the Auth0-PHP SDK, and access to its entire API (including Management API calls)
• High performance background sync using WordPress' Cron feature
• "Flexible identifier" support, allowing users to sign in using multiple connection types without requiring extra configuration
• Expanded control over how sign ins without matching existing WordPress accounts are handled
• Enhanced session pairing between WordPress and Auth0, including session invalidation, access token refresh, and more.

V5 represents a major step forward for our WordPress plugin, and we're excited to see what you build with it!

It's important to note, if you wrote custom theme code or plugins for your WordPress site that targeted previous versions of the plugin, you may need to adjust those themes or plugins to adapt to the new version. We will be rolling this release out to the WordPress plugin store in the near future. Meanwhile, you can manually install the package using Composer using the instructions in the README.

⚠️ Version 5.0 of our plugin is now available in Beta. This release adds a significant number of features, and includes breaking changes. We do not recommend using this release in a production environment yet, but your feedback and testing is appreciated.

New Features

• PHP 8.0 Support — The plugin has been redesigned to use PHP 8.0+ language features.
• Flexible Connection Matching — This allows users to sign in using multiple connections to the same account. For example, with this you can now sign in using your standard email-password, or social connections you've enabled. Any connection works so long as the authenticating account shares the same (verified) email address.
• Absentee Account Handling — You can now choose different behaviors for handling when a user signs in successfully, but an account doesn't exist matching the email. Although Auth0 Database Connections have always handled this well on the API side with the 'Disable Sign-Ups' toggle, social connections are trickier in cases where that option doesn't exist. You can now choose to deny those types of authentication requests, or dynamically create new accounts for those users.
• WP-Cron support — The plugin now leverages the WP background task scheduler to improve performance. Because real-time Management API calls can sometimes fail (rate limits, network congestion on one's hosting provider, etc.) we can now batch changes for WP customers with high traffic sites to more efficiently bring their CMS and Auth0 databases in sync.
• Session Pairing — WordPress sessions are not completely managed by the plugin, ensuring scenarios like token expiration and refresh tokens are honored and properly acted upon.
• PSR-18, PSR-17 and PSR-7 Support — All networking functions of the plugin have been rewritten to use the PHP-FIG standards for HTTP messaging. This also removes the library's dependency on Guzzle.
• WP_Object_Cache support — Caching now uses the native WP_Object_Cache API, for enhanced storage options through third-party plugins. In particular, this is now used for JWKS caching, enabling improved performance.

Breaking Changes

• PHP 8.0.0 is now the minimum supported version.
• Embedded login support has been deprecated, and Universal Login is now required.
• All auth0_ and a0_ prefixed functions have migrated into classes beneath the Auth0\WordPress namespace.
• All previous JWT processing using third-party libraries has been removed. This is now handled by Auth0's PHP SDK.
• Auth0\WordPress\Plugin handles the underlying Auth0-PHP SDK initialization and configuration.
• Auth0\WordPress\Actions\Authentication now handles all authentication functions, and acts as the core for the various WordPress hooks used throughout the system.
• Auth0\WordPress\Actions\Configuration now handles all Admin UI rendering functions. A new configuration database storage format has been established which will supersede the previous V4 method.
• Auth0\WordPress\Actions\Sync manages the new WP-Cron scheduled task functions.
• Sessions have been reworked to support the new Auth0 PHP SDK 8.0+ format.

Additional new features and changes may be added before this new version is released as stable.

⚠️ Version 5.0 of our plugin is now available in Beta. This release adds a significant number of features. We do not recommend using this release in a production environment yet. There are breaking changes and some functionality remaining to be implemented. In particular, the migration process needs further development and testing. As we move toward General Availability, please be aware that further beta releases may contain additional breaking changes.

A new Beta Channel version of the plugin will be available from the WordPress plugin marketplace soon, which will enable you to opt into receiving updates to new development releases as they happen.

New Features

• PHP 8.0 Support — The plugin has been redesigned to use PHP 8.0+ language features.
• Flexible Connection Matching — This allows users to sign in using multiple connections to the same account. For example, with this you can now sign in using your standard email-password, or social connections you've enabled. Any connection works so long as the authenticating account shares the same (verified) email address.
• Absentee Account Handling — You can now choose different behaviors for handling when a user signs in successfully, but an account doesn't exist matching the email. Although Auth0 Database Connections have always handled this well on the API side with the 'Disable Sign Ups' toggle, social connections are trickier in cases where that option doesn't exist. You can now choose to deny those types of authentication requests, or dynamically create new accounts for those users.
• WP-Cron support — The plugin now leverages the WP background task scheduler to improve performance. Because real time Management API calls can sometimes fail (rate limits, network congestion on ones hosting provider, etc.) we can now batch changes for WP customers with high traffic sites to more efficiently bring their CMS and Auth0 databases in sync.
• Session Pairing — WordPress sessions are not completely managed by the plugin, ensuring scenarios like token expiration and refresh tokens are honored and properly acted upon.
• PSR-18, PSR-17 and PSR-7 Support — All networking functions of the plugin have been rewritten to use the PHP-FIG standards for HTTP messaging. This also removes the library's dependency on Guzzle.
• WP_Object_Cache support — Caching now uses the native WP_Object_Cache API, for enhanced storage options through third party plugins. In particular, this is now used for JWKS caching, enabling improved performance.

Breaking Changes

• PHP 8.0.0 is now the minimum supported version.
• Embedded login support has been deprecated, and Universal Login is now required.
• All auth0_ and a0_ prefixed functions have migrated into classes beneath the Auth0\WordPress namespace.
• All previous JWT processing using third-party libraries has been removed. This is now handled by Auth0's PHP SDK.
• Auth0\WordPress\Plugin handles the underlying Auth0-PHP SDK initialization and configuration.
• Auth0\WordPress\Actions\Authentication now handles all authentication functions, and acts as the core for the various WordPress hooks used throughout the system.
• Auth0\WordPress\Actions\Configuration now handles all Admin UI rendering functions. A new configuration database storage format has been established which will supersede the previous V4 method.
• Auth0\WordPress\Actions\Sync manages the new WP-Cron scheduled task functions.
• Sessions have been reworked to support the new Auth0 PHP SDK 8.0+ format.

Additional new features and changes may be added before this new version is released as stable.

Full Changelog

Added

• Enable passing extra custom parameters to the New Universal Login #834 (evansims)
• Update tests to use PHPUnit 7 and Docker #835 (evansims)

Fixed

• Skip email sync with Auth0 when we know the update is coming from Auth0 #831 (drobin03)

Full Changelog

Fixed

• Update client configuration url for embedded logins #832 (evansims)

Full Changelog

Added

• Add support for Auth0 Organizations #827 (evansims)

Full Changelog

Added

• Support installations using WPackgist #819 (evansims)

Changed

• Initial support for PHP 8.0 #814 (evansims)
• Pass user info to auth0_before_login hook #817 (nicecatch)
• Add filters on user queries #812 (tharsheblows)
• Introduce static code analysis #813 (szepeviktor)

Fixed

• Fix enqueued scripts #816 (szepeviktor)

Full Changelog

Fixed

• Raise priority of authentication processing #803 (joshcanhelp)
• Fix potential infinite loop on email update #802 (joshcanhelp)

Full Changelog

Closed issues

• With a custom domain, JWKs aren't being fetched from the correct domain #790

Changed

• Load ourselves with Composer autoloader #787 (szepeviktor)

Fixed

• Fix incorrect function in uninstall hook #795 (joshcanhelp)
• Align the client ID and redirect URI used in the setup wizard #794 (joshcanhelp)
• Fix custom domain not being used in JWKS #792 (joshcanhelp)
• Pass shortcode atts to the handler #789 (drobin03)
• PHPStan Level 2 fixes #785 (szepeviktor)

Full Changelog

This is a major release with breaking changes!

In addition to the minimum PHP version being updated from 5.3 to 7.0, there are many breaking removals and changes that are covered in the migration guide included in this release.

Closed issues

• pt-BR language is not being installed #760
• Authorization Extension, groups, roles not showing up #701
• Using the auth0 word in the URL path triggers an authorization code exchange #351

Added

• PHPCS security scan, sanitization and escaping improvements, and removed custom admin styling (see commits for details)
• Add settings validation to import #777 (joshcanhelp)
• Add ability to break cache if RS256 ID token kid is not found #770 (joshcanhelp)
• Remove error_log calls and add auth0_insert_error action #763 (joshcanhelp)
• Get new access token via refresh token API #730 (albeja)
• feature/Adding Brazilian Portuguese translations #729 (niugait)
• Add wpa0_user_data filter before creating WP_User #717 (horike37)
• Add check for GET and POST globals for state validation #707 (joshcanhelp)

Changed

• Update Spanish and BR Portuguese translations #780 (joshcanhelp)
• Merge in 3.11.2 and 3.11.3 #779 (joshcanhelp)
• Update Embedded settings validation and defaults #776 (joshcanhelp)
• Update Basic settings validation and defaults #775 (joshcanhelp)
• Update Feature settings validation and defaults #774 (joshcanhelp)
• Update Advanced settings validation and defaults #773 (joshcanhelp)
• Change all redirects to wp_safe_redirect #771 (joshcanhelp)
• Remove deprecated from WP_Auth0_InitialSetup #754 (joshcanhelp)
• Remove deprecated from errorlog #753 (joshcanhelp)
• Move actions from methods to functions for profile delete and change email #751 (joshcanhelp)
• Remove deprecated from User and Change Password #750 (joshcanhelp)
• Remove deprecated from email verification #749 (joshcanhelp)
• Remove deprecated from admin #748 (joshcanhelp)
• Move WP_Auth0_Routes initialize method to function #745 (joshcanhelp)
• Merge WP_Auth0_Options_Generic into WP_Auth0_Options #741 (joshcanhelp)
• Rename Lock option class and remove deprecated #739 (joshcanhelp)
• Improve OIDC Compliance #734 (joshcanhelp)
• Update minimum PHP to 7.0 and WP to 4.9 #732 (joshcanhelp)
• Update auth params method to add filters #716 (joshcanhelp)
• Move WooCommerce hooks to global functions and remove init method #705 (joshcanhelp)
• Bump PHP version to 5.6; auto-adjust array syntax #696 (joshcanhelp)

Removed

• Remove migration JWT JTI check #778 (joshcanhelp)
• Remove custom signup fields setting #765 (joshcanhelp)
• Remove Bootstrap, fonts, and descriptions from admin pages #764 (joshcanhelp)
• Remove connection deactivation on setup #762 (joshcanhelp)
• Remove future iat check #757 (joshcanhelp)
• Remove class WP-Auth0 and move methods to functions #756 (joshcanhelp)
• Remove deprecated from import settings #752 (joshcanhelp)
• Remove user export functionality #747 (joshcanhelp)
• Remove deprecated from WP_Auth0_DBManager and move init to function #746 (joshcanhelp)
• Remove deprecated from WP_Auth0_UsersRepo #744 (joshcanhelp)
• Remove WP_Auth0_EditProfile #743 (joshcanhelp)
• Remove client_secret_b64_encoded setting #742 (joshcanhelp)
• Remove deprecated WP_Auth0_Api_Operations methods #740 (joshcanhelp)
• Remove deprecated IP and referrer checks #738 (joshcanhelp)
• Remove deprecated Management API functionality #737 (joshcanhelp)
• Remove class WP_Auth0_RulesLib #736 (joshcanhelp)
• Remove implicit login flow #735 (joshcanhelp)
• Remove deprecated WP_Auth0_Metrics class #728 (joshcanhelp)
• Remove deprecated WP_Auth0_Lock_Options class #727 (joshcanhelp)
• Remove deprecated WP_Auth0_CustomDBLib class #726 (joshcanhelp)
• Remove deprecated WP_Auth0_Api_Client methods #725 (joshcanhelp)
• Remove login manager deprecated #724 (joshcanhelp)
• Remove features including SSO on wp-login/php #723 (joshcanhelp)
• Remove deprecated basic settings; centralize validation declaration #722 (joshcanhelp)
• Remove appearance settings #721 (joshcanhelp)
• Remove all unused and deprecated advanced setting functionality #720 (joshcanhelp)
• Remove unused setup wizard classes, methods, and templates #719 (joshcanhelp)
• Remove JWT auth plugin integration #715 (joshcanhelp)
• Remove Social Amplificator and related assets #714 (joshcanhelp)
• Remove dashboard widgets #713 (joshcanhelp)
• Remove feedback form from help tab #712 (joshcanhelp)

Fixed

• Fix include path for functions file #755 (joshcanhelp)
• Merge in released 3.11.1 version #709 (joshcanhelp)
• Fix auth0 in paths triggering callback #697 (joshcanhelp)

Full Changelog

Security

• Fix potential XSS on wp-login.php override page #768 (kinabalu)

Full Changelog

• Add path to functions.php include #759 (joshcanhelp)
• Patch samesite for implicit #758 (joshcanhelp)

Important note for sites using the Implicit Login Flow setting: The upcoming changes to SameSite handling in multiple browsers will require sites using the Implicit Login Flow setting to also be served on a secure channel (callback URL using "https"). This setting will be removed in the upcoming major version but is patched for sites that need time to migrate.