Support » Plugin: Login by Auth0 » Role Based Login Restriction

  • Resolved medyapin

    (@medyapin)


    Hi,

    We have a wordpress landing page where auth0 wordpress plugin is instaled.
    We have also another php site where we created an application on auth0 and logining to second website with saml2.0
    Wordpress application and other site applications are 2 different application in auth0 dashboard.
    Here is the question:
    We want to get user roles from wordpress and allow only subscriber user role to login to second application. How can i do that?

    Kind Regards.

Viewing 6 replies - 1 through 6 (of 6 total)
  • We did this via the Auth0 management api

    We created some basic wp functions that do simple things

    1. Get token
    2. Get Auth0 user and meta
    3. Set Auth0 meta

    Then you use wp hooks to set the roles in Auth0. Eg. On register, login, etc

    In your second site you just need a similar “get token -> get app_metadata” to check for the appropriate roles you set to determine if they are allowed

    We used SSO so that the sessions were aligned

    Hope that helps

    Rob

    Plugin Contributor Josh C

    (@auth0josh)

    Thanks for the assist here @rgorrie! Just to chime in here … there is a class you can use to get user data:

    https://github.com/auth0/wp-auth0/blob/master/lib/api/WP_Auth0_Api_Get_User.php

    That happens automatically when a user logs in and is stored in the WP usermeta if you’re not using Implicit login. You can see how that’s used here:

    https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_LoginManager.php#L241

    That handles the token part as well so pretty simple to use. The user can be updated by following the pattern here:

    https://github.com/auth0/wp-auth0/blob/master/lib/api/WP_Auth0_Api_Change_Email.php

    … which is used here:

    https://github.com/auth0/wp-auth0/blob/master/lib/profile/WP_Auth0_Profile_Change_Email.php#L89

    Let me know if you have any other questions!

    So this actually brings up a question for me!

    We have extended login (14 days) AND we want control to be able to disable accounts immediately. From what we’ve experienced the wp Auth0 object only refreshes every 24 hours and wp thinks the user is ok based on its internal checks as no “login” happens.

    So we developed routines to do refreshes at the start of each session. Does auth0 already do this (refresh token every session start) and we wasted our time? It doesn’t seem like it but happy to be proven wrong

    Also, to be clear, beyond SSO we needed to transfer data from machine to machine so part of the above is related to management api

    Thanks

    Thread Starter medyapin

    (@medyapin)

    Hi Josh, thank you for clear answer.

    Hey @auth0josh

    Wanted to bump this thread. What IS the best way to ensure multiple systems stay sync’d to Auth0 in real time?

    We have 3 different platforms: WP, an SPA, etc that use Auth0 as the “keeper of truth” for all app/user data and each system can update user info and meta as they require. This is currently done via the Management API

    Problem is, if one system updates a user, the other 2 systems become out of sync for a while b/c they are still running the same session post-login

    So what’s the best approach?

    1. Is there an easy way in WP or other systems to “flush” the token/object for a user so it refreshes and syncs the metadata?
    2. We’ve seen the get_auth0userinfo( $user_id ); Is there a set_auth0userinfo() or do we have to use the examples you gave earlier to write everything custom? Specifically looking at app/user metadata.
    3. Should/can auth0 push new tokens/app_meta via hooks on change?
    4. Other

    Just trying to wrap our heads around the best approach as we started using Auth0 on one platform and the other 2 got layered in later. It’d be nice if there was a simple way to “refresh” a user as needed from a single point of control

    Plugin Contributor Josh C

    (@auth0josh)

    @rgorrie

    Does auth0 already do this (refresh token every session start) and we wasted our time? … beyond SSO we needed to transfer data from machine to machine so part of the above is related to management api

    So … there are a couple of things going on here. The access token for the Management API is only for the WordPress site itself to access users, it does not indicate validity for the user’s session with WordPress. The site should always have access to the Management API and be able to get a new token whenever it needs one (using the client ID and client secret in a client credentials grant).

    The user’s session is handled first with WordPress (either 2 days or 14, depending on whether the “remember me” setting is turned on), then with Auth0 (checked when the WP session expires). The access token that’s issued on login is only for the /userinfo endpoint, the session length that you would want to check is when the ID token expires (this is a setting we’re considering as part of the plugin). The WP session would be set to that expiration (modified in your Application settings at Auth0) and then re-authentication would happen once that expires. Again, that’s not currently part of the plugin.

    If you want to block a user immediately, you need to block them in Auth0 (stops them from logging in) and somehow end the session in WordPress. I found a few good examples for the WP piece of that here:

    https://wordpress.stackexchange.com/questions/123902/ban-a-user-and-end-their-session

    What IS the best way to ensure multiple systems stay sync’d to Auth0 in real time?

    This is a tough problem but having everything centralized on Auth0 will help. The best way to do this is to use all of the session checking on WP to trigger re-authentication on a regular basis (see above). There is definitely a balance here, though, between a good user experience (not making an HTTP call for every action, not requiring re-authentication too often) and security.

    Probably the simplest way to do this is to set a lower session time in WordPress using a filter:

    https://developer.wordpress.org/reference/hooks/auth_cookie_expiration/

    If you set that to, say, 6 hours, the user will need to re-authenticate every 6 hours, which will refresh their stored metadata.

    Is there an easy way in WP or other systems to “flush” the token/object for a user so it refreshes and syncs the metadata?

    Flushing the metadata will not log the user out. Just getting that metadata via API does not indicate whether the session should be invalidated or not.

    We’ve seen the get_auth0userinfo( $user_id ); Is there a set_auth0userinfo() or do we have to use the examples you gave earlier to write everything custom?

    That just gets what is stored in the DB, not API.

    Should/can auth0 push new tokens/app_meta via hooks on change?

    I’m not sure I’m clear on this question.

    Hope that all helps a bit. If you still need guidance, go ahead and open another thread here or on our Community:

    https://community.auth0.com/tags/wordpress

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Role Based Login Restriction’ is closed to new replies.