I’m about to start working on a prototype for a client – and one of the required features is integration with an in-house user authentication / registration system.
This system will act as the authoritative user database, and provides a RESTful interface for creating new users, and authenticating valid users.
I need to be able to create new users in WP and as part of that process make a call to the external authentication API to either create / validate that user.
A person who is a valid user but not known to WP should be able to login to comment, without needing to register on the WP site themselves.
A person logged into the overall website should also automatically be logged in to WordPress.
I’m thinking the following is the way to go.
For (1) – is there a registration hook I can use?
For (2) – I’m assuming i hook the authenticate filter – ie when someone tries to login, I trap that, make a call to the external system, and then either process the WP login or redirect them to the registration process where (1) takes oer.
For (3) – read the login cookie set by the main site and proceed with (2) ?
I guess I’ll also need to insert a record into the users and usermeta table.
So, does the above make sense – have I not thought about something. Anyone got any good resources for helping with this (@hakre – I saw you’ve done some work on this !!).
So I’m still bashing my head against this a bit, essentially I’m trying to hook into the authenticate filter, and using that to:
- check if a login cookie for the ‘master’ site is set, and if it is, revalidate against their authentication API, and if valid, force a WP login with
wp_signon(),using the information contained in the master site cookie (email and hashed password) as credentials for WP
- if the cookie isn’t set, redirect to the master site login page and get either a login / signup then back to step 1
- if there isn’t a WP user when an authenticated master site user exists, create it and then so a ‘transparent’ signon (ie so the user doesn’t see a WP login form)
Basically, I want to hide the WP login form entirely for users who are just going to be mainly commenting, and later find a way to allow authors and admin to access it directly.
It’s going fairly slowly, here’s what I could use some help with:
is the authenticate filter the right one to use? It doesn’t seem to get called in all situations I would expect – eg the meta widget displays log in / log out links without the authenticate hook firing
i can get
wp_signon()to return a
WP_Userobject (indicating success), but it doesn’t affect the logged in status – ie the meta widget would still be showin “Login” even after refreshing.
Any help gratefully received 🙂
OK, the approach that’s working for me is as follows:
Assume that the main site user database is authoritative. The main site login cookie contains an ID and a hash of the site password.
Get the cookie from the main site and revalidate it against the main site’s authentication API
If valid, use the email address from the return value as the
'user_login'value for WP, and the hashed site password as the WP password.
Test if this user exists in WP by using
wp_authenticate('user_login', 'user_pass'). This returns a
WP_Userobject on success, or a
WP_Errorobject on failure.
WP_Error/is_wp_error(), then use use
wp_update_user()to create a user (or update a user with a changed password).
(This is all contained in a function that’s attached to the
This seems to be working – valid site users unknown to WP are automatically created. Password changes are catered for, and if the site cookie is set, and the WP user exists, the SSO is automatic and pretty seamless.