Universal Logout with Auth0 and WordPress

The Problem

I was using the Login by Auth0 WordPress plugin on 2 WordPress installations — WP1 and WP2. When one logs into a WordPress site with Auth0, 2 sessions are created:

  1. The session in Auth0
  2. The session in WordPress

Since there are 2 different WordPress installations, each installation gets its own WordPress session upon log in. Logging out of WP1 clears the Auth0 session and the WP1 session, but Auth0 has no way to notify WP2 that the logout happened unless WP2 asks Auth0. Therefore, a user will stay logged into WP2 until their WP2 session expires.

To workaround this, I implemented a call to checkSession, which logs the user out of their WP2 WordPress session.

var webAuth = new auth0.WebAuth({
domain: 'REDACTED',
clientID: 'REDACTED',
responseType: 'token',
redirectUri: REDACTED
webAuth.checkSession( {}, function( err, authResult ){
// err if automatic parseHash fails
if( err ){
console.log( 'From Auth0: ' + JSON.stringify( err ) );
if( err.original.error === 'login_required' ){
// log the user out of WP2

The challenge was that a small subset of users were immediately logged out upon authenticating against Auth0.

The Solution

Thanks to some excellent support by the Auth0 team, they tipped me to the fact that certain updates to the user’s profile information would kill a session and cause silent authentication to fail.

Ultimately, an update to the user’s email address caused the immediate logout, but arriving at this conclusion was not straightforward.

WP1 had a custom authentication routine that integrated with a third-party database. I was updating a user’s profile with the email address that was returned from the third-party database using a call to wp_update_user.

However, the Login by Auth0 plugin automatically updates a user’s email address from Auth0’s user records. In my particular instance, the third-party database allowed mixed case email addresses. Auth0 stores email addresses as lowercase. Therefore, if a user had a mixed case email address, they were immediately logged out because their profile was updated, thereby killing the session and causing the silent authentication to fail. If a user already had a lowercase email address stored in the third-party database, the profile was not updated and the user could navigate the site provided they had an active Auth0 session.

Ultimately, removing the call to wp_update_user resolved the issue, as it was redundant to update the user’s profile twice.