Release 3.4.0 (#357)

* Added RS256 JWT Support (Default for New Clients)
* Add caching to JWKS fetching
* Added Lock 11, Update SSO (#350)
* Fixed Admin migration step in Setup Wizard
* Added WP_Auth0_Api_Client::signup_user

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Change Log
 
+## [3.4.0](https://github.com/auth0/wp-auth0/tree/3.4.0) (2018-01-08)
+[Full Changelog](https://github.com/auth0/wp-auth0/compare/3.3.2...3.4.0)
+
+**Added**
+- Added Lock 11 / Auth0 9.0, Updated SSO, JWT Algorithm Upgrade Fixes [\#350](https://github.com/auth0/wp-auth0/pull/350) ([cocojoe](https://github.com/cocojoe))
+- Add RS256 support [\#331](https://github.com/auth0/wp-auth0/pull/331) ([renrizzolo](https://github.com/renrizzolo))
+
+**Fixed**
+- Switching wizard admin user creation to use /dbconnections/signup  [\#356](https://github.com/auth0/wp-auth0/pull/356) ([joshcanhelp](https://github.com/joshcanhelp))
+
 ## [3.3.2](https://github.com/auth0/wp-auth0/tree/3.3.2) (2017-10-05)
 [Full Changelog](https://github.com/auth0/wp-auth0/compare/3.3.2...3.2.24)
 

README.md

@@ -182,7 +182,6 @@ And can be customized by adding the following parameters:
 * social_big_buttons: boolean
 * gravatar: boolean
 * username_style: string, "email" or "username"
-* remember_last_login: boolean
 * icon_url: string (valid url)
 * extra_conf: string, valid json
 * show_as_modal: boolean

WP_Auth0.php

@@ -2,16 +2,16 @@
 /**
  * Plugin Name: PLUGIN_NAME
  * Description: PLUGIN_DESCRIPTION
- * Version: 3.3.2
+ * Version: 3.4.0
  * Author: Auth0
  * Author URI: https://auth0.com
  */
 define( 'WPA0_PLUGIN_FILE', __FILE__ );
 define( 'WPA0_PLUGIN_DIR', trailingslashit( plugin_dir_path( __FILE__ ) ) );
 define( 'WPA0_PLUGIN_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) );
 define( 'WPA0_LANG', 'wp-auth0' ); // deprecated; do not use for translations
-define( 'AUTH0_DB_VERSION', 14 );
-define( 'WPA0_VERSION', '3.3.2' );
+define( 'AUTH0_DB_VERSION', 15 );
+define( 'WPA0_VERSION', '3.4.0' );
 
 /**
  * Main plugin class

lib/WP_Auth0_Api_Client.php

@@ -168,10 +168,9 @@ public static function create_user( $domain, $jwt, $data ) {
 		$headers = self::get_info_headers();
 
 		$headers['Authorization'] = "Bearer $jwt";
-		$headers['content-type'] = "application/json";
+		$headers['content-type'] = 'application/json';
 
 		$response = wp_remote_post( $endpoint  , array(
-				'method' => 'POST',
 				'headers' => $headers,
 				'body' => json_encode( $data )
 			) );
@@ -191,6 +190,34 @@ public static function create_user( $domain, $jwt, $data ) {
 		return json_decode( $response['body'] );
 	}
 
+	public static function signup_user( $domain, $data ) {
+
+		$endpoint = "https://$domain/dbconnections/signup";
+
+		$headers = self::get_info_headers();
+
+		$headers['content-type'] = 'application/json';
+
+		$response = wp_remote_post( $endpoint  , array(
+			'headers' => $headers,
+			'body' => json_encode( $data )
+		) );
+
+		if ( $response instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::signup_user', $response );
+			error_log( $response->get_error_message() );
+			return false;
+		}
+
+		if ( $response['response']['code'] !== 200 ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::signup_user', $response['body'] );
+			error_log( $response['body'] );
+			return false;
+		}
+
+		return json_decode( $response['body'] );
+	}
+
 	public static function get_required_scopes() {
 		return array(
 			'update:clients',
@@ -225,9 +252,14 @@ public static function create_client( $domain, $app_token, $name ) {
 							home_url( '/wp-login.php' )
 						),
 						"allowed_origins"=>array(
-							home_url( '/wp-login.php' ),
-							admin_url( '/admin.php?page=wpa0-setup&step=2&profile=social' )
+							home_url( '/wp-login.php' )
+						),
+						"jwt_configuration" => array(
+							"alg" => "RS256"
 						),
+						"app_type" => "regular_web",
+						"cross_origin_auth" => true,
+						"cross_origin_loc" => home_url('/index.php?auth0fallback=1','https'),
 						"allowed_logout_urls" => array(
 							$logout_url
 						),
@@ -246,7 +278,21 @@ public static function create_client( $domain, $app_token, $name ) {
 			return false;
 		}
 
-		return json_decode( $response['body'] );
+		$response = json_decode( $response['body'] );
+
+		// Workaround: Can't add `web_origin` on create
+		$payload = array(
+			"web_origins" => array(home_url())
+		);
+		$updateResponse = WP_Auth0_Api_Client::update_client($domain, $app_token, $response->client_id, false, $payload);
+
+		if ( $updateClient instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::create_client', $updateResponse );
+			error_log( $updateResponse->get_error_message() );
+			return false;
+		}
+
+		return $response;
 	}
 
 	public static function search_clients( $domain, $app_token ) {
@@ -277,7 +323,7 @@ public static function search_clients( $domain, $app_token ) {
 		return json_decode( $response['body'] );
 	}
 
-	public static function update_client( $domain, $app_token, $client_id, $sso ) {
+	public static function update_client( $domain, $app_token, $client_id, $sso, $payload = array() ) {
 
 		$endpoint = "https://$domain/api/v2/clients/$client_id";
 
@@ -289,9 +335,7 @@ public static function update_client( $domain, $app_token, $client_id, $sso ) {
 		$response = wp_remote_post( $endpoint  , array(
 				'method' => 'PATCH',
 				'headers' => $headers,
-				'body' => json_encode( array(
-						'sso' => $sso,
-					) )
+				'body' => json_encode( array_merge(array( 'sso' => boolval($sso)), $payload) )
 			) );
 
 		if ( $response instanceof WP_Error ) {
@@ -740,4 +784,53 @@ public static function update_guardian($domain, $app_token, $factor, $enabled) {
 
 		return json_decode($response['body']);
 	}
-}
+
+  protected function convertCertToPem($cert) {
+      return '-----BEGIN CERTIFICATE-----'.PHP_EOL
+          .chunk_split($cert, 64, PHP_EOL)
+          .'-----END CERTIFICATE-----'.PHP_EOL;
+  }
+
+  public static function JWKfetch($domain) {
+
+	$a0_options = WP_Auth0_Options::Instance();
+
+	$endpoint = "https://$domain/.well-known/jwks.json";
+
+    $cache_expiration = $a0_options->get('cache_expiration');
+
+	if ( false === ($secret = get_transient('WP_Auth0_JWKS_cache') ) ) {
+
+		$secret = [];
+
+		$response = wp_remote_get( $endpoint, array() );
+
+		if ( $response instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::JWK_fetch', $response );
+			error_log( $response->get_error_message() );
+			return false;
+		}
+
+		if ( $response['response']['code'] != 200 ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( 'WP_Auth0_Api_Client::JWK_fetch', $response['body'] );
+			error_log( $response['body'] );
+			return false;
+		}
+
+		if ( $response['response']['code'] >= 300 ) return false;		
+
+		$jwks = json_decode($response['body'], true);
+
+		foreach ($jwks['keys'] as $key) { 
+			$secret[$key['kid']] = self::convertCertToPem($key['x5c'][0]);
+		}
+
+		if ($cache_expiration !== 0) {
+			set_transient( 'WP_Auth0_JWKS_cache', $secret, $cache_expiration * MINUTE_IN_SECONDS );
+		}
+
+	}
+
+  return $secret;
+  }
+}

lib/WP_Auth0_Configure_JWTAUTH.php

@@ -54,6 +54,9 @@ public function setupjwt() {
 			JWT_AUTH_Options::set( 'aud', $this->a0_options->get( 'client_id' ) );
 			JWT_AUTH_Options::set( 'secret', $this->a0_options->get( 'client_secret' ) );
 			JWT_AUTH_Options::set( 'secret_base64_encoded', $this->a0_options->get( 'client_secret_b64_encoded' ) );
+			JWT_AUTH_Options::set( 'signing_algorithm', $this->a0_options->get( 'client_signing_algorithm' ) );
+			JWT_AUTH_Options::set( 'domain', $this->a0_options->get( 'domain' ) );
+			JWT_AUTH_Options::set( 'cache_expiration', $this->a0_options->get( 'cache_expiration' ) );
 			JWT_AUTH_Options::set( 'override_user_repo', 'WP_Auth0_UsersRepo' );
 			$this->a0_options->set( 'jwt_auth_integration', true );
 		}
@@ -76,6 +79,9 @@ public static function is_jwt_configured() {
 			JWT_AUTH_Options::get( 'aud' ) === $options->get( 'client_id' ) &&
 			JWT_AUTH_Options::get( 'secret' ) === $options->get( 'client_secret' ) &&
 			JWT_AUTH_Options::get( 'secret_base64_encoded' ) === $options->get( 'client_secret_b64_encoded' ) &&
+			JWT_AUTH_Options::get( 'signing_algorithm' ) === $options->get( 'client_signing_algorithm' ) &&
+			JWT_AUTH_Options::get( 'domain' ) === $options->get( 'domain' ) &&
+			JWT_AUTH_Options::get( 'cache_expiration' ) === $options->get( 'cache_expiration' ) &&
 			$options->get( 'jwt_auth_integration' ) &&
 			JWT_AUTH_Options::get( 'jwt_attribute' ) === 'sub'
 		);

lib/WP_Auth0_DBManager.php

@@ -35,28 +35,6 @@ public function install_db() {
 
 		$cdn_url = $options->get( 'cdn_url' );
 
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-6' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.1.min.js' );
-		}
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-8' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.1.min.js' );
-		}
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-9.0' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.1.min.js' );
-		}
-		if ( strpos( $cdn_url, 'auth0-widget-5' ) !== false || strpos( $cdn_url, 'lock-9.1' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock-9.2.min.js' );
-		}
-		if ( strpos( $cdn_url, '10.0' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock/10.3/lock.min.js' );
-		}
-		if ( strpos( $cdn_url, '10.1' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock/10.3/lock.min.js' );
-		}
-		if ( strpos( $cdn_url, '10.2' ) !== false ) {
-			$options->set( 'cdn_url', '//cdn.auth0.com/js/lock/10.3/lock.min.js' );
-		}
-
 		if ( $this->current_db_version <= 7 ) {
 			if ( $options->get( 'db_connection_enabled' ) ) {
 
@@ -141,6 +119,27 @@ public function install_db() {
 		}
 	}
 
+	if ( $this->current_db_version < 15 ) {
+		$options->set('use_lock_10', true);
+		$options->set('cdn_url', '//cdn.auth0.com/js/lock/11.0.0/lock.min.js');
+		$options->set('auth0js-cdn', '//cdn.auth0.com/js/auth0/9.0.0/auth0.min.js');
+		$options->set('cache_expiration', 1440);
+
+		// Update Client
+		$client_id = $options->get( 'client_id' );
+		$domain = $options->get( 'domain' );
+		if (!empty($client_id) && !empty($domain)) {
+			$app_token = $options->get( 'auth0_app_token' );
+			$sso = $options->get( 'sso' );
+			$payload = array(
+				"cross_origin_auth" => true,
+				"cross_origin_loc" => home_url('/index.php?auth0fallback=1','https'),
+				"web_origins" => array(home_url())
+			);
+			$updateClient = WP_Auth0_Api_Client::update_client($domain, $app_token, $client_id, $sso, $payload);
+			$options->set('client_signing_algorithm', 'HS256');
+		}
+	}
 		$this->current_db_version = AUTH0_DB_VERSION;
 		update_option( 'auth0_db_version', AUTH0_DB_VERSION );
 	}

lib/WP_Auth0_Lock10_Options.php

@@ -156,10 +156,6 @@ protected function build_settings( $settings ) {
     if ( $this->_is_valid( $settings, 'username_style' ) ) {
       $options_obj['usernameStyle'] = $settings['username_style'];
     }
-    if ( $this->_is_valid( $settings, 'remember_last_login' ) ) {
-      $options_obj['rememberLastLogin'] = $this->_get_boolean( $settings['remember_last_login'] );
-    }
-
     if ( $this->_is_valid( $settings, 'sso' ) ) {
       $options_obj['auth']['sso'] = $this->_get_boolean( $settings['sso'] );
     }

lib/WP_Auth0_Lock_Options.php

@@ -155,9 +155,6 @@ protected function build_settings( $settings ) {
 		if ( $this->_is_valid( $settings, 'username_style' ) ) {
 			$options_obj['usernameStyle'] = $settings['username_style'];
 		}
-		if ( $this->_is_valid( $settings, 'remember_last_login' ) ) {
-			$options_obj['rememberLastLogin'] = $this->_get_boolean( $settings['remember_last_login'] );
-		}
 		if ( $this->_is_valid( $settings, 'sso' ) ) {
 			$options_obj['sso'] = $this->_get_boolean( $settings['sso'] );
 		}

lib/WP_Auth0_LoginManager.php

@@ -26,7 +26,7 @@ public function init() {
     add_action( 'wp_login', array( $this, 'end_session' ) );
     add_action( 'login_init', array( $this, 'login_auto' ) );
     add_action( 'template_redirect', array( $this, 'init_auth0' ), 1 );
-    add_action( 'wp_footer', array( $this, 'auth0_sso_footer' ) );
+    //add_action( 'wp_footer', array( $this, 'auth0_sso_footer' ) );
     add_action( 'wp_footer', array( $this, 'auth0_singlelogout_footer' ) );
     add_filter( 'login_message', array( $this, 'auth0_sso_footer' ) );
   }
@@ -73,6 +73,7 @@ public function auth0_singlelogout_footer( $previous_html ) {
       return;
     }
 
+    $lock_options = new WP_Auth0_Lock10_Options();
     $cdn = $this->a0_options->get('auth0js-cdn');
     $client_id = $this->a0_options->get( 'client_id' );
     $domain = $this->a0_options->get( 'domain' );
@@ -250,7 +251,7 @@ public function redirect_login() {
       } else {
         try {
           // grab the user ID from the id_token to call get_user
-          $decodedToken = JWT::decode( $data->id_token, $this->a0_options->get_client_secret_as_key(), array( 'HS256' ) );
+          $decodedToken = JWT::decode( $data->id_token, $this->a0_options->get_client_secret_as_key(), array(  $this->a0_options->get_client_signing_algorithm() ) );
         } catch (Exception $e) {
           WP_Auth0_ErrorManager::insert_auth0_error('redirect_login/decode', $e->getMessage());
           throw new WP_Auth0_LoginFlowValidationException(__('Error: There was an issue decoding the token, please review the Auth0 Plugin Error Log.', 'wp-auth0'));
@@ -327,7 +328,7 @@ public function implicit_login() {
 
     try {
       // Decode the user
-      $decodedToken = JWT::decode( $token, $secret, array( 'HS256' ) );
+      $decodedToken = JWT::decode( $token, $secret, array(  $this->a0_options->get_client_signing_algorithm() ) );
 
       // validate that this JWT was made for us
       if ( $this->a0_options->get( 'client_id' ) !== $decodedToken->aud ) {
@@ -523,7 +524,7 @@ public function login_with_credentials( $username, $password, $connection="Usern
 
     try {
       // Decode the user
-      $decodedToken = JWT::decode( $response->id_token, $secret, array( 'HS256' ) );
+      $decodedToken = JWT::decode( $response->id_token, $secret, array(  $this->a0_options->get_client_signing_algorithm() ) );
 
       // validate that this JWT was made for us
       if ( $this->a0_options->get( 'client_id' ) !== $decodedToken->aud ) {
@@ -553,4 +554,4 @@ protected function query_vars( $key ) {
     return null;
   }
 
-}
+}