4.3.1

Full Changelog

Fixed

• Update client configuration url for embedded logins #832 (evansims)

4.3.0

Full Changelog

Added

• Add support for Auth0 Organizations #827 (evansims)

4.2.0

Full Changelog

Added

• Support installations using WPackgist #819 (evansims)

Changed

• Initial support for PHP 8.0 #814 (evansims)
• Pass user info to auth0_before_login hook #817 (nicecatch)
• Add filters on user queries #812 (tharsheblows)
• Introduce static code analysis #813 (szepeviktor)

Fixed

• Fix enqueued scripts #816 (szepeviktor)

4.1.1

Full Changelog

Fixed

• Raise priority of authentication processing #803 (joshcanhelp)
• Fix potential infinite loop on email update #802 (joshcanhelp)

4.1.0

Full Changelog

Closed issues

• With a custom domain, JWKs aren't being fetched from the correct domain #790

Changed

• Load ourselves with Composer autoloader #787 (szepeviktor)

Fixed

• Fix incorrect function in uninstall hook #795 (joshcanhelp)
• Align the client ID and redirect URI used in the setup wizard #794 (joshcanhelp)
• Fix custom domain not being used in JWKS #792 (joshcanhelp)
• Pass shortcode atts to the handler #789 (drobin03)
• PHPStan Level 2 fixes #785 (szepeviktor)

4.0.0

Full Changelog

This is a major release with breaking changes!

In addition to the minimum PHP version being updated from 5.3 to 7.0, there are many breaking removals and changes that are covered in the migration guide included in this release.

Closed issues

• pt-BR language is not being installed #760
• Authorization Extension, groups, roles not showing up #701
• Using the auth0 word in the URL path triggers an authorization code exchange #351

Added

• PHPCS security scan, sanitization and escaping improvements, and removed custom admin styling (see commits for details)
• Add settings validation to import #777 (joshcanhelp)
• Add ability to break cache if RS256 ID token kid is not found #770 (joshcanhelp)
• Remove error_log calls and add auth0_insert_error action #763 (joshcanhelp)
• Get new access token via refresh token API #730 (albeja)
• feature/Adding Brazilian Portuguese translations #729 (niugait)
• Add wpa0_user_data filter before creating WP_User #717 (horike37)
• Add check for GET and POST globals for state validation #707 (joshcanhelp)

Changed

• Update Spanish and BR Portuguese translations #780 (joshcanhelp)
• Merge in 3.11.2 and 3.11.3 #779 (joshcanhelp)
• Update Embedded settings validation and defaults #776 (joshcanhelp)
• Update Basic settings validation and defaults #775 (joshcanhelp)
• Update Feature settings validation and defaults #774 (joshcanhelp)
• Update Advanced settings validation and defaults #773 (joshcanhelp)
• Change all redirects to wp_safe_redirect #771 (joshcanhelp)
• Remove deprecated from WP_Auth0_InitialSetup #754 (joshcanhelp)
• Remove deprecated from errorlog #753 (joshcanhelp)
• Move actions from methods to functions for profile delete and change email #751 (joshcanhelp)
• Remove deprecated from User and Change Password #750 (joshcanhelp)
• Remove deprecated from email verification #749 (joshcanhelp)
• Remove deprecated from admin #748 (joshcanhelp)
• Move WP_Auth0_Routes initialize method to function #745 (joshcanhelp)
• Merge WP_Auth0_Options_Generic into WP_Auth0_Options #741 (joshcanhelp)
• Rename Lock option class and remove deprecated #739 (joshcanhelp)
• Improve OIDC Compliance #734 (joshcanhelp)
• Update minimum PHP to 7.0 and WP to 4.9 #732 (joshcanhelp)
• Update auth params method to add filters #716 (joshcanhelp)
• Move WooCommerce hooks to global functions and remove init method #705 (joshcanhelp)
• Bump PHP version to 5.6; auto-adjust array syntax #696 (joshcanhelp)

Removed

• Remove migration JWT JTI check #778 (joshcanhelp)
• Remove custom signup fields setting #765 (joshcanhelp)
• Remove Bootstrap, fonts, and descriptions from admin pages #764 (joshcanhelp)
• Remove connection deactivation on setup #762 (joshcanhelp)
• Remove future iat check #757 (joshcanhelp)
• Remove class WP-Auth0 and move methods to functions #756 (joshcanhelp)
• Remove deprecated from import settings #752 (joshcanhelp)
• Remove user export functionality #747 (joshcanhelp)
• Remove deprecated from WP_Auth0_DBManager and move init to function #746 (joshcanhelp)
• Remove deprecated from WP_Auth0_UsersRepo #744 (joshcanhelp)
• Remove WP_Auth0_EditProfile #743 (joshcanhelp)
• Remove client_secret_b64_encoded setting #742 (joshcanhelp)
• Remove deprecated WP_Auth0_Api_Operations methods #740 (joshcanhelp)
• Remove deprecated IP and referrer checks #738 (joshcanhelp)
• Remove deprecated Management API functionality #737 (joshcanhelp)
• Remove class WP_Auth0_RulesLib #736 (joshcanhelp)
• Remove implicit login flow #735 (joshcanhelp)
• Remove deprecated WP_Auth0_Metrics class #728 (joshcanhelp)
• Remove deprecated WP_Auth0_Lock_Options class #727 (joshcanhelp)
• Remove deprecated WP_Auth0_CustomDBLib class #726 (joshcanhelp)
• Remove deprecated WP_Auth0_Api_Client methods #725 (joshcanhelp)
• Remove login manager deprecated #724 (joshcanhelp)
• Remove features including SSO on wp-login/php #723 (joshcanhelp)
• Remove deprecated basic settings; centralize validation declaration #722 (joshcanhelp)
• Remove appearance settings #721 (joshcanhelp)
• Remove all unused and deprecated advanced setting functionality #720 (joshcanhelp)
• Remove unused setup wizard classes, methods, and templates #719 (joshcanhelp)
• Remove JWT auth plugin integration #715 (joshcanhelp)
• Remove Social Amplificator and related assets #714 (joshcanhelp)
• Remove dashboard widgets #713 (joshcanhelp)
• Remove feedback form from help tab #712 (joshcanhelp)

Fixed

• Fix include path for functions file #755 (joshcanhelp)
• Merge in released 3.11.1 version #709 (joshcanhelp)
• Fix auth0 in paths triggering callback #697 (joshcanhelp)

3.11.3

Full Changelog

Security

• Fix potential XSS on wp-login.php override page #768 (kinabalu)

3.11.2

Full Changelog

• Add path to functions.php include #759 (joshcanhelp)
• Patch samesite for implicit #758 (joshcanhelp)

Important note for sites using the Implicit Login Flow setting: The upcoming changes to SameSite handling in multiple browsers will require sites using the Implicit Login Flow setting to also be served on a secure channel (callback URL using "https"). This setting will be removed in the upcoming major version but is patched for sites that need time to migrate.

3.7.3

Full Changelog

Fixed

• Cast user ID to integer to fix reflected XSS

3.11.1

Full Changelog

Fixed

• Check state in specific global based on callback type #708 (joshcanhelp)
• Fix widget gravatar and language settings #706 (joshcanhelp)
• Change CDN URL field type #704 (joshcanhelp)
• Fix sensitive field handling; add Basic settings tab validations #703 (joshcanhelp)
• Fix embed widget documentation and validation #702 (joshcanhelp)
• Add new Auth0 IPs; do not save duplicate or whitelisted IPs #700 (joshcanhelp)
• Improve setup wizard documentation #699 (joshcanhelp)
• Fix post passwords getting redirected #698 (joshcanhelp)