Fixed Client Grant Types during update

CHANGELOG.md

@@ -3,6 +3,8 @@
 ## [3.5.0](https://github.com/auth0/wp-auth0/tree/3.5.0) (2018-01-25)
 [Full Changelog](https://github.com/auth0/wp-auth0/compare/3.4.0...3.5.0)
 
+**Please note:** This is a major update that requires changes to your Auth0 Dashboard to be completed. You can save a new [API token](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) in your Basic settings in wp-admin before upgrading and the changes will be made automatically during the update. Otherwise, after upgrading, please review your [Client Advanced Settings](https://auth0.com/docs/cms/wordpress/configuration#client-setup), specifically your Grant Types, and [authorize your Client for the Management API](https://auth0.com/docs/cms/wordpress/configuration#authorize-the-client-for-the-management-api). 
+
 **Changed**
 - updating CDN URLs for Lock and Auth.js [\#365](https://github.com/auth0/wp-auth0/pull/365) ([joshcanhelp](https://github.com/joshcanhelp))
 - Changing home_url() to site_url(), wp_login_url(), and wp_logout_url()  [\#360](https://github.com/auth0/wp-auth0/pull/360) ([joshcanhelp](https://github.com/joshcanhelp))

README.md

@@ -9,6 +9,10 @@ Demo: <http://auth0wp.azurewebsites.net>
 
 Documentation: <https://auth0.com/docs/cms>
 
+## Important note on 3.5.0 and 3.5.1
+
+This is a major update that requires changes to your Auth0 Dashboard to be completed. You can save a new [API token](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) in your Basic settings in wp-admin before upgrading and the changes will be made automatically during the update. Otherwise, please review your [Client Advanced Settings](https://auth0.com/docs/cms/wordpress/configuration#client-setup), specifically your Grant Types, and [authorize your Client for the Management API](https://auth0.com/docs/cms/wordpress/configuration#authorize-the-client-for-the-management-api). 
+
 ## Contributions
 
 All PR should be done towards the `dev` branch.

WP_Auth0.php

@@ -2,16 +2,16 @@
 /**
  * Plugin Name: PLUGIN_NAME
  * Description: PLUGIN_DESCRIPTION
- * Version: 3.5.0
+ * Version: 3.5.1
  * Author: Auth0
  * Author URI: https://auth0.com
  */
 define( 'WPA0_PLUGIN_FILE', __FILE__ );
 define( 'WPA0_PLUGIN_DIR', trailingslashit( plugin_dir_path( __FILE__ ) ) );
 define( 'WPA0_PLUGIN_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) );
 define( 'WPA0_LANG', 'wp-auth0' ); // deprecated; do not use for translations
-define( 'AUTH0_DB_VERSION', 16 );
-define( 'WPA0_VERSION', '3.5.0' );
+define( 'AUTH0_DB_VERSION', 17 );
+define( 'WPA0_VERSION', '3.5.1' );
 define( 'WPA0_CACHE_GROUP', 'wp_auth0' );
 
 /**

lib/WP_Auth0_Api_Client.php

@@ -394,6 +394,40 @@ public static function get_required_scopes() {
 		);
 	}
 
+	/**
+	 * Get a single client via the Management API
+	 *
+	 * @see https://auth0.com/docs/api/management/v2#!/Clients/get_clients_by_id
+	 *
+	 * @param string $app_token - an app token for the management API with read:clients scope
+	 * @param string $client_id - a valid client ID in the same tenant as the app token
+	 *
+	 * @return array|bool|mixed|object
+	 */
+	public static function get_client( $app_token, $client_id ) {
+
+		$response = wp_remote_get(
+			self::get_endpoint( '/api/v2/clients/' . urlencode( $client_id ) ),
+			array(
+				'headers' => self::get_headers( $app_token )
+			)
+		);
+
+		if ( $response instanceof WP_Error ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $response );
+			error_log( $response->get_error_message() );
+			return false;
+		}
+
+		if ( $response['response']['code'] != 200 ) {
+			WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $response['body'] );
+			error_log( $response['body'] );
+			return false;
+		}
+
+		return json_decode( $response['body'] );
+	}
+
 	public static function create_client( $domain, $app_token, $name ) {
 
 		$endpoint = "https://$domain/api/v2/clients";
@@ -419,6 +453,7 @@ public static function create_client( $domain, $app_token, $name ) {
 							"alg" => "RS256"
 						),
 						"app_type" => "regular_web",
+						"grant_types" => self::get_client_grant_types(),
 						"cross_origin_auth" => true,
 						"cross_origin_loc" => site_url('index.php?auth0fallback=1','https'),
 						"allowed_logout_urls" => array( wp_logout_url() ),
@@ -610,13 +645,14 @@ public static function create_client_grant( $app_token, $client_id ) {
 			WP_Auth0_ErrorManager::insert_auth0_error(
 				__METHOD__,
 				sprintf(
-					__( 'A client grant for %s to %s has already been created. Make sure this grant at least includes %s.', 'wp-auth0' ),
+					__( 'A client grant for %s to %s already exists. Make sure this grant at least includes %s.', 'wp-auth0' ),
 					self::get_connect_info( 'client_id' ),
 					self::get_connect_info( 'audience' ),
 					implode( ', ', self::get_required_scopes() )
 				)
 			);
-			return true;
+
+			return json_decode( $response['body'] );
 
 		} else if ( $response['response']['code'] != 201 ) {
 
@@ -625,6 +661,11 @@ public static function create_client_grant( $app_token, $client_id ) {
 			return false;
 		}
 
+		WP_Auth0_ErrorManager::insert_auth0_error(
+			__METHOD__,
+			'Client Grant has been successfully created!'
+		);
+
 		return json_decode( $response['body'] );
 	}
 
@@ -1045,5 +1086,20 @@ public static function JWKfetch($domain) {
 	}
 
   return $secret;
+  }
+
+	/**
+	 * Return the grant types needed for new clients
+	 *
+	 * @return array
+	 */
+  public static function get_client_grant_types() {
+
+		return array(
+			'authorization_code',
+			'implicit',
+			'refresh_token',
+			'client_credentials',
+		);
   }
 }

lib/WP_Auth0_DBManager.php

@@ -18,6 +18,7 @@ public function init() {
 		add_action( 'plugins_loaded', array( $this, 'check_update' ) );
 		add_action( 'admin_notices', array( $this, 'notice_failed_client_grant' ) );
 		add_action( 'admin_notices', array( $this, 'notice_successful_client_grant' ) );
+		add_action( 'admin_notices', array( $this, 'notice_successful_grant_types' ) );
 	}
 
 	public function check_update() {
@@ -153,6 +154,25 @@ public function install_db( $version_to_install = null, $app_token = '' ) {
 			}
 		}
 
+		// App token needed for following updates
+
+		$decoded_token = null;
+		if ( ! empty( $app_token ) ) {
+
+			$token_parts = explode( '.', $app_token );
+
+			try {
+				$header = json_decode( JWT::urlsafeB64Decode( $token_parts[0] ) );
+				$decoded_token = JWT::decode(
+					$app_token,
+					$options->convert_client_secret_to_key( $client_secret, FALSE, 'RS256' === $header->alg, $domain ),
+					array( $header->alg )
+				);
+			} catch ( Exception $e ) {
+				WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $e->getMessage() );
+			}
+		}
+
 		// 3.5.0
 
 		if ( ( $this->current_db_version < 16 && 0 !== $this->current_db_version ) || 16 === $version_to_install ) {
@@ -174,61 +194,95 @@ public function install_db( $version_to_install = null, $app_token = '' ) {
 			// Update app type and client grant
 
 			$client_grant_created = FALSE;
+			if ( $decoded_token ) {
 
-			// Need a valid app token to update audience and client grant
-			if ( ! empty( $app_token ) ) {
+				$payload = array(
+					'app_type' => 'regular_web',
+					'callbacks' => array(
+						site_url( 'index.php?auth0=1' ),
+						wp_login_url()
+					),
+
+					// Duplicate of DB version 15 upgrade to account for site_url() changes
+					'cross_origin_auth' => true,
+					'cross_origin_loc' => site_url('index.php?auth0fallback=1','https'),
+					'web_origins' => ( home_url() === site_url() ? array( home_url() ) : array( home_url(), site_url() ) ),
+				);
 
-				$decoded_token = null;
-				$token_parts = explode( '.', $app_token );
+				// Update the WP-created client
+				$client_updated = WP_Auth0_Api_Client::update_client( $domain, $app_token, $client_id, $sso, $payload );
 
-				try {
-					$header = json_decode( JWT::urlsafeB64Decode( $token_parts[0] ) );
-					$decoded_token = JWT::decode(
-						$app_token,
-						$options->convert_client_secret_to_key( $client_secret, FALSE, 'RS256' === $header->alg, $domain ),
-						array( $header->alg )
-					);
-				} catch ( Exception $e ) {
-					WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $e->getMessage() );
+				// Create the client grant to the management API for the WP app client
+				if ( $client_updated ) {
+					$client_grant_created = WP_Auth0_Api_Client::create_client_grant( $app_token, $client_id );
 				}
+			}
+
+			if ( $client_grant_created ) {
+				delete_option( 'wp_auth0_client_grant_failed' );
+				update_option( 'wp_auth0_client_grant_success', 1 );
+			} else {
+				WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, sprintf(
+					__( 'Unable to automatically create Client Grant. Please go to your Auth0 Dashboard '
+					    . 'and authorize your Client %s for management API scopes %s.',
+						'wp-auth0' ),
+					$options->get( 'client_id' ),
+					implode( ', ', WP_Auth0_Api_Client::get_required_scopes() )
+				) );
+				update_option( 'wp_auth0_client_grant_failed', 1 );
+			}
+		}
+
+		// 3.5.1
+
+		if ( ( $this->current_db_version < 17 && 0 !== $this->current_db_version ) || 17 === $version_to_install ) {
 
-				if ( $decoded_token ) {
+			$grant_types_updated = FALSE;
+			$payload = array();
 
-					$payload = array(
-						'app_type' => 'regular_web',
-						'callbacks' => array(
-							site_url( 'index.php?auth0=1' ),
-							wp_login_url()
-						),
+			// Need a valid app token to update audience and client grant
+			if ( $decoded_token ) {
+
+				$get_client_resp = WP_Auth0_Api_Client::get_client( $app_token, $client_id );
+
+				if ( $get_client_resp ) {
+
+					if ( is_array( $get_client_resp->grant_types ) ) {
 
-						// Duplicate of DB version 15 upgrade to account for site_url() changes
-						'cross_origin_auth' => true,
-						'cross_origin_loc' => site_url('index.php?auth0fallback=1','https'),
-						'web_origins' => ( home_url() === site_url() ? array( home_url() ) : array( home_url(), site_url() ) )
-					);
+						if ( FALSE === array_search( 'client_credentials', $get_client_resp->grant_types ) ) {
+							$payload[ 'grant_types' ] = $get_client_resp->grant_types;
+							$payload[ 'grant_types' ][] = 'client_credentials';
+						} else {
+							$grant_types_updated = TRUE;
+						}
 
-					// Update the WP-created client
-					$client_updated = WP_Auth0_Api_Client::update_client( $domain, $app_token, $client_id, $sso, $payload );
+					} else {
 
-					// Create the client grant to the management API for the WP app client
-					if ( $client_updated ) {
-						$client_grant_created = WP_Auth0_Api_Client::create_client_grant( $app_token, $client_id );
+						$payload[ 'grant_types' ] = WP_Auth0_Api_Client::get_client_grant_types();
+					}
+
+					if ( ! empty( $payload ) ) {
+						$client_updated = WP_Auth0_Api_Client::update_client( $domain, $app_token, $client_id, $sso, $payload );
+						$grant_types_updated = ! empty( $client_updated );
 					}
 				}
 			}
 
-			if ( $client_grant_created ) {
-				delete_option( 'wp_auth0_client_grant_failed' );
-				update_option( 'wp_auth0_client_grant_success', 1 );
+			if ( $grant_types_updated ) {
+				delete_option( 'wp_auth0_grant_types_failed' );
+				update_option( 'wp_auth0_grant_types_success', 1 );
+				WP_Auth0_ErrorManager::insert_auth0_error(
+					__METHOD__,
+					'Client Grant Types have been successfully updated!'
+				);
 			} else {
 				WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, sprintf(
-					__( 'Unable to automatically create client grant. Please go to your Auth0 Dashboard '
-					    . 'and authorize your client %s for management API scopes %s.',
+					__( 'Unable to automatically update Client Grant Type. Please go to your Auth0 Dashboard '
+					    . 'and add Client Credentials to your Client settings > Advanced > Grant Types for ID %s ',
 						'wp-auth0' ),
-					$options->get( 'client_id' ),
-					implode( ', ', WP_Auth0_Api_Client::get_required_scopes() )
+					$options->get( 'client_id' )
 				) );
-				update_option( 'wp_auth0_client_grant_failed', 1 );
+				update_option( 'wp_auth0_grant_types_failed', 1 );
 			}
 		}
 
@@ -244,10 +298,14 @@ public function install_db( $version_to_install = null, $app_token = '' ) {
 	 */
 	public function notice_failed_client_grant() {
 
-		if ( get_option( 'wp_auth0_client_grant_failed' ) && current_user_can( 'update_plugins' ) ) {
+		if (
+			( get_option( 'wp_auth0_client_grant_failed' ) || get_option( 'wp_auth0_grant_types_failed' ) )
+			&& current_user_can( 'update_plugins' )
+		) {
 
 			if ( WP_Auth0_Api_Client::get_client_token() ) {
 				delete_option( 'wp_auth0_client_grant_failed' );
+				delete_option( 'wp_auth0_grant_types_failed' );
 			} else {
 				?>
 				<div class="notice notice-error">
@@ -264,10 +322,15 @@ public function notice_failed_client_grant() {
 						<?php _e( 'and save it in the Auth0 > Settings > Basic tab > API Token field.', 'wp-auth0' ) ?>
 						<?php _e( 'This will run the update process again.', 'wp-auth0' ) ?></p>
 					<p><strong>2.</strong>
+						<a href="https://auth0.com/docs/cms/wordpress/configuration#client-setup"
+						   target="_blank"><?php
+							_e( 'Review your Client advanced settings', 'wp-auth0' ) ?></a>,
+						<?php _e( 'specifically the Grant Types, and ', 'wp-auth0' ) ?>
 						<a href="https://auth0.com/docs/cms/wordpress/configuration#authorize-the-client-for-the-management-api"
 						   target="_blank"><?php
-							_e( 'Follow the configuration steps here', 'wp-auth0' ) ?></a>
-						<?php _e( 'to manually complete the setup.', 'wp-auth0' ) ?></p>
+							_e( 'authorize your client for the Management API', 'wp-auth0' ) ?></a>
+						<?php _e( 'to manually complete the setup.', 'wp-auth0' ) ?>
+					</p>
 					<p><?php _e( 'This banner will disappear once the process is complete.', 'wp-auth0' ) ?></p>
 				</div>
 				<?php
@@ -281,22 +344,40 @@ public function notice_failed_client_grant() {
 	 */
 	public function notice_successful_client_grant() {
 
-		if ( ! get_option( 'wp_auth0_client_grant_success' ) ) {
+		if ( ! get_option( 'wp_auth0_client_grant_success' )) {
 			return;
 		}
 		?>
 		<div class="notice notice-success">
 			<p><?php
-				_e( 'As a part of this upgrade, a client grant was created for the Auth0 Management API.', 'wp-auth0' );
+				_e( 'As a part of this upgrade, a Client Grant was created for the Auth0 Management API.', 'wp-auth0' );
 				?><br><?php
-				_e( 'Please check the plugin error log for any additional instructions to complete the upgrade. ', 'wp-auth0' );
+				_e( 'Please check the plugin error log for any additional instructions to complete the upgrade.', 'wp-auth0' );
 			?><br><a href="<?php echo admin_url( 'admin.php?page=wpa0-errors' ) ?>">
 					<strong><?php _e( 'Error Log', 'wp-auth0' ); ?></strong></a></p>
 		</div>
 		<?php
 		delete_option( 'wp_auth0_client_grant_success' );
 	}
 
+	/**
+	 * Display a banner once after 3.5.1 upgrade
+	 * Hooked to admin_notices in $this->init()
+	 */
+	public function notice_successful_grant_types() {
+
+		if ( ! get_option( 'wp_auth0_grant_types_success' ) ) {
+			return;
+		}
+		?>
+		<div class="notice notice-success">
+			<p><?php
+				_e( 'As a part of this upgrade, your Client Grant Types have been updated, if needed.', 'wp-auth0' ); ?></p>
+		</div>
+		<?php
+		delete_option( 'wp_auth0_grant_types_success' );
+	}
+
 	protected function migrate_users_data() {
 		global $wpdb;