fix SSO and SLO with lock 10

Author: glena

lib/WP_Auth0_Lock10_Options.php

@@ -99,7 +99,7 @@ public function modal_button_name() {
   }
 
   public function get_state_obj( $redirect_to = null ) {
-    
+
     if ( isset( $_GET['interim-login'] ) && $_GET['interim-login'] == 1 ) {
       $interim_login = true;
     } else {
@@ -114,6 +114,8 @@ public function get_state_obj( $redirect_to = null ) {
       $stateObj["redirect_to"] = addslashes( $_GET['redirect_to'] );
     }
 
+    $stateObj["state"] = 'nonce';
+
     return base64_encode( json_encode( $stateObj ) );
   }
 
@@ -198,17 +200,15 @@ public function has_custom_signup_fields() {
   }
 
   public function get_sso_options() {
-    $options = $this->get_lock_options();
-
     $options["scope"] = "openid ";
 
     if ( $this->get_auth0_implicit_workflow() ) {
-      $options["callbackOnLocationHash"] = true;
-      $options["callbackURL"] = $this->get_implicit_callback_url();
+      $options["responseType"] = 'id_token';
+      $options["redirectUri"] = $this->get_implicit_callback_url();
       $options["scope"] .= "name email picture nickname email_verified";
     } else {
-      $options["callbackOnLocationHash"] = false;
-      $options["callbackURL"] = $this->get_code_callback_url();
+      $options["responseType"] = 'code';
+      $options["redirectUri"] = $this->get_code_callback_url();
     }
 
     $redirect_to = null;
@@ -221,9 +221,9 @@ public function get_sso_options() {
 
     unset( $options["authParams"] );
     $options["state"] = $this->get_state_obj( $redirect_to );
+    $options["nonce"] = 'nonce';
 
     return $options;
-
   }
 
   public function get_lock_options() {
@@ -241,7 +241,7 @@ public function get_lock_options() {
     $extended_settings = $this->build_settings( $extended_settings );
 
     $extraOptions = array(
-      "auth"    => array( 
+      "auth"    => array(
         "params" => array("state" => $state ),
       ),
     );

lib/WP_Auth0_LoginManager.php

@@ -39,23 +39,17 @@ public function auth0_sso_footer( $previous_html ) {
 			return;
 		}
 
-		$lock_options = new WP_Auth0_Lock_Options();
+		$lock_options = new WP_Auth0_Lock10_Options();
 
 		$sso = $lock_options->get_sso();
 
 		if ( $sso ) {
-			$cdn = $lock_options->get_cdn_url();
 			$client_id = $lock_options->get_client_id();
 			$domain = $lock_options->get_domain();
+      $cdn = $this->a0_options->get('auth0js-cdn');
 
-			wp_enqueue_script( 'wpa0_lock', $cdn, 'jquery' );
-
-			if ($this->a0_options->get('use_lock_10')) {
-	      include WPA0_PLUGIN_DIR . 'templates/auth0-sso-handler-lock10.php';
-	    } else {
-	    	include WPA0_PLUGIN_DIR . 'templates/auth0-sso-handler.php';
-	    }
-
+      wp_enqueue_script( 'wpa0_auth0js', $cdn );
+      include WPA0_PLUGIN_DIR . 'templates/auth0-sso-handler-lock10.php';
 		}
 	}
 	public function auth0_singlelogout_footer( $previous_html ) {
@@ -79,12 +73,11 @@ public function auth0_singlelogout_footer( $previous_html ) {
 			return;
 		}
 
-		$cdn = $this->a0_options->get( 'cdn_url' );
+		$cdn = $this->a0_options->get('auth0js-cdn');
 		$client_id = $this->a0_options->get( 'client_id' );
 		$domain = $this->a0_options->get( 'domain' );
 		$logout_url = wp_logout_url( get_permalink() ) . '&SLO=1';
 
-		wp_enqueue_script( 'wpa0_lock', $cdn, 'jquery' );
 		include WPA0_PLUGIN_DIR . 'templates/auth0-singlelogout-handler.php';
 	}
 
@@ -162,7 +155,7 @@ public function init_auth0() {
 				$this->implicit_login();
 			} else {
 				$this->redirect_login();
-			}	
+			}
 		} catch (WP_Auth0_LoginFlowValidationException $e) {
 
 			$msg = __( 'There was a problem with your log in', WPA0_LANG );
@@ -182,7 +175,7 @@ public function init_auth0() {
 		} catch (Exception $e) {
 
 		}
-		
+
 	}
 
 	public function redirect_login() {
@@ -257,7 +250,7 @@ public function redirect_login() {
 				WP_Auth0_ErrorManager::insert_auth0_error( 'init_auth0_userinfo', $response );
 
 				error_log( $response->get_error_message() );
-				
+
 				throw new WP_Auth0_LoginFlowValidationException( );
 			}
 
@@ -389,7 +382,7 @@ private function do_login( $user, $userinfo, $is_new, $id_token, $access_token )
 			"user_login" => $user->user_login,
 			"user_password" => null,
 			"remember" => $remember_users_session
-			) 
+			)
 		);
 
 		//wp_set_current_user( $user->ID, $user->user_login );
@@ -437,7 +430,7 @@ public function login_user( $userinfo, $id_token, $access_token ) {
 			if ( isset( $userinfo->email ) && $user->data->user_email !== $userinfo->email ) {
 
 				$description = $user->data->description;
-				
+
 				if (empty($description)){
 					if (isset($userinfo->headline)) {
 						$description = $userinfo->headline;
@@ -453,10 +446,10 @@ public function login_user( $userinfo, $id_token, $access_token ) {
 					}
 				}
 
-				$user_id = wp_update_user( array( 
-					'ID' => $user->data->ID, 
-					'user_email' => $userinfo->email, 
-					'description' => $description, 
+				$user_id = wp_update_user( array(
+					'ID' => $user->data->ID,
+					'user_email' => $userinfo->email,
+					'description' => $description,
 				) );
 			}
 

lib/WP_Auth0_Options.php

@@ -122,8 +122,9 @@ protected function defaults() {
 			'auto_provisioning' => false,
 			'default_login_redirection' => home_url(),
 
-			'auth0_server_domain' => 'auth0.auth0.com',
+      'auth0_server_domain' => 'auth0.auth0.com',
 
+			'auth0js-cdn' => '//cdn.auth0.com/js/auth0/8.2.0/auth0.min.js',
 
 			//DASHBOARD
 			'chart_idp_type' => 'donut',

templates/auth0-singlelogout-handler.php

@@ -4,12 +4,18 @@
 
   var uuids = '<?php echo $user_profile->user_id; ?>';
   document.addEventListener("DOMContentLoaded", function() {
-    var lock = new Auth0Lock('<?php echo $client_id; ?>', '<?php echo $domain; ?>');
-    lock.$auth0.getSSOData(function(err, data) {
-      if (!err && ( !data.sso || uuids != data.lastUsedUserID) ) {
+    if (typeof(auth0) === 'undefined') {
+      return;
+    }
 
-        window.location = '<?php echo html_entity_decode( $logout_url ); ?>';
+    var webAuth = new auth0.WebAuth({
+      clientID:'<?php echo $client_id; ?>',
+      domain:'<?php echo $domain; ?>'
+    });
 
+    webAuth.client.getSSOData(function(err, data) {
+      if (!err && ( !data.sso || uuids != data.lastUsedUserID)) {
+        window.location = '<?php echo html_entity_decode( $logout_url ); ?>';
       }
     });
   });

templates/auth0-sso-handler-lock10.php

@@ -1,21 +1,21 @@
-<script id="auth0" src="<?php echo $cdn ?>"></script>
 <script type="text/javascript">
 document.addEventListener("DOMContentLoaded", function() {
   if (typeof(ignore_sso) !== 'undefined' && ignore_sso) {
     return;
   }
-  if (typeof(Auth0Lock) === 'undefined') {
-      return;
+  if (typeof(auth0) === 'undefined') {
+    return;
   }
 
-  var auth0 = new Auth0({
+  var webAuth = new auth0.WebAuth({
     clientID:'<?php echo $client_id; ?>',
     domain:'<?php echo $domain; ?>'
   });
-  auth0.getSSOData(function(err, data) {
-      if (!err && data.sso) {
-          auth0.signin(<?php echo json_encode( $lock_options->get_sso_options() ); ?>);
-      }
+
+  webAuth.client.getSSOData(function(err, data) {
+    if (!err && data.sso) {
+      webAuth.authorize(<?php echo json_encode( $lock_options->get_sso_options() ); ?>);
+    }
   });
 });
 </script>