Merge pull request #318 from auth0/changed-token-error

Expand internal login error with hint to disable base 64 encoding

WP_Auth0.php

@@ -2,7 +2,7 @@
 /**
  * Plugin Name: PLUGIN_NAME
  * Description: PLUGIN_DESCRIPTION
- * Version: 3.2.19
+ * Version: 3.2.20
  * Author: Auth0
  * Author URI: https://auth0.com
  */
@@ -11,7 +11,7 @@
 define( 'WPA0_PLUGIN_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) );
 define( 'WPA0_LANG', 'wp-auth0' );
 define( 'AUTH0_DB_VERSION', 13 );
-define( 'WPA0_VERSION', '3.2.19' );
+define( 'WPA0_VERSION', '3.2.20' );
 
 /**
  * Main plugin class
@@ -449,4 +449,4 @@ function get_auth0_curatedBlogName() {
 }
 
 $a0_plugin = new WP_Auth0();
-$a0_plugin->init();
+$a0_plugin->init();

lib/WP_Auth0_LoginManager.php

@@ -237,8 +237,13 @@ public function redirect_login() {
 				$data->id_token = null;
 				$response = WP_Auth0_Api_Client::get_user_info( $domain, $data->access_token );
 			} else {
-				// grab the user ID from the id_token to call get_user
-				$decodedToken = JWT::decode( $data->id_token, $this->a0_options->get_client_secret_as_key(), array( 'HS256' ) );
+				try {
+					// grab the user ID from the id_token to call get_user
+					$decodedToken = JWT::decode( $data->id_token, $this->a0_options->get_client_secret_as_key(), array( 'HS256' ) );
+				} catch (Exception $e) {
+					WP_Auth0_ErrorManager::insert_auth0_error('redirect_login/decode', $e->getMessage());
+					throw new WP_Auth0_LoginFlowValidationException(__('Error: There was an issue decoding the token, please review the Auth0 Plugin Error Log.', WPA0_LANG));
+				}
 
 				// validate that this JWT was made for us
 				if ( $this->a0_options->get( 'client_id' ) !== $decodedToken->aud ) {

lib/php-jwt/Authentication/JWT.php

@@ -75,28 +75,28 @@ public static function decode($jwt, $key = null, $allowed_algs = array())
 
             // Check the signature
             if (!JWT::verify("$headb64.$bodyb64", $sig, $key, $header->alg)) {
-                throw new SignatureInvalidException('Signature verification failed');
+                throw new SignatureInvalidException('Signature verification failed, disabling "Settings \ Basic \ Client Secret Base64 Encoded" may resolve this issue.');
             }
 
             // Check if the nbf if it is defined. This is the time that the
-            // token can actually be used. If it's not yet that time, abort.
-            if (isset($payload->nbf) && $payload->nbf > time()) {
+            // token can actually be used. If it's not yet that time, abort. Small leeway for clock skew.
+            if (isset($payload->nbf) && $payload->nbf > time() + 2) {
                 throw new BeforeValidException(
-                    'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)
+                    'Cannot handle token prior to (nbf) ' . date(DateTime::ISO8601, $payload->nbf)
                 );
             }
 
             // Check that this token has been created before 'now'. This prevents
             // using tokens that have been created for later use (and haven't
-            // correctly used the nbf claim).
-            if (isset($payload->iat) && $payload->iat > time()) {
+            // correctly used the nbf claim). Small leeway for clock skew.
+            if (isset($payload->iat) && $payload->iat > time() + 2) {
                 throw new BeforeValidException(
-                    'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat)
+                    'Cannot handle token prior to (iat) ' . date(DateTime::ISO8601, $payload->iat)
                 );
             }
 
-            // Check if this token has expired.
-            if (isset($payload->exp) && time() >= $payload->exp) {
+            // Check if this token has expired. Small leeway for clock skew.
+            if (isset($payload->exp) && time() >= $payload->exp + 2) {
                 throw new ExpiredException('Expired token');
             }
         }