Sign in with OTP MFA doesn't work unless "Remember this browser" is enabled

[freddyheppell]

Description

If I sign into an account with OTP MFA (i.e. Google Authenticator) enabled but don't check the "Remember this browser" box, the sign in is succesful and I am shown the WP dashboard, but then am immediately redirected to a specific post on my website signed out.

I can't see why it's this post specifically - there's no special significance to it. This also happens when my session has expired and I try to access the dashboard. The page I'm redirected to used to be the first post but has now changed consistently to the 3rd post.

Prerequisites

• Have you read Auth0's general contribution guidelines?
• Have you read Auth0's code of conduct guidelines
• Did you check the documentation?
• Did you check the Auth0 Community?
• Did you check the WP.org Support Forum?
• Are there any related or duplicate Issues or PRs in this repo?

Environment

Please provide the following:

• WP-Auth0 version: 3.9.0
• WordPress version: 5.1.1
• PHP version: 7.2.15-0ubuntu0.18.04.2
• Browser version, if applicable: Firefox 66.0.2
• Additional active plugins that might be relevant: No plugins that affect authentication

Reproduction

1. Visit /wp-admin/ whilst not signed in to be redirected to login page
2. Sign in with a user with OTP MFA enabled
3. Complete MFA but do not tick "Remember this browser"

Please include:

• Plugin settings JSON export (redact/remove sensitive information)

{"domain":"bnhs.eu.auth0.com","custom_domain":"","client_id":"REDACTED","client_secret":"REDACTED","client_signing_algorithm":"RS256","cache_expiration":1440,"auth0_app_token":"  REDACTED (incidentally this field has some spaces before the original data)","password_policy":"good","sso":"1","singlelogout":"1","auto_login":"1","auto_login_method":"DB-Basildon-Natural-History-Society","mfa":"1","fullcontact_apikey":"","geo_rule":"1","override_wp_avatars":"1","icon_url":"https:\/\/bnhs.net\/wp-content\/uploads\/2018\/07\/Leaf-Logo@2x.png","form_title":"Sign In","custom_css":"","custom_js":"","username_style":"","primary_color":"","language":"","language_dictionary":"","requires_verified_email":1,"skip_strategies":"","remember_users_session":true,"default_login_redirection":"https:\/\/bnhs.net\/wp-admin\/","lock_connections":"","force_https_callback":"1","cdn_url":"https:\/\/cdn.auth0.com\/js\/lock\/11.5\/lock.min.js","link_auth0_users":"1","auto_provisioning":"1","migration_ips":"","valid_proxy_ip":"","extra_conf":"","custom_signup_fields":"","auth0_server_domain":"auth0.auth0.com","wordpress_login_enabled":0,"allow_signup":0,"client_secret_b64_encoded":false,"income_rule":null,"fullcontact":null,"social_big_buttons":0,"gravatar":0,"passwordless_enabled":false,"jwt_auth_integration":0,"auth0_implicit_workflow":0,"social_twitter_key":"","social_twitter_secret":"","social_facebook_key":"","social_facebook_secret":"","migration_ips_filter":0,"migration_ws":0,"migration_token":"REDACTED"}

[joshcanhelp]

@freddyheppell - Sorry for the trouble here. Do you have "Single Logout" turned on in the Features tab of the plugin settings? If so, turn that off and you should be fine. That feature will be changing a bit in the next version but, currently, it checks for an Auth0 session and kicks you out of WordPress if one is not found.

Thank you for the detailed report here!

[freddyheppell]

That's fixed it, thank you!