Recently I was confronted with the problem to have multiple user types on a WordPress Blog who needed to be logged in using an external service/authentication mechanism partly. But they all had to use the same login form for the system. A common problem? The WordPress Function Reference and Codex do not document this topic very well and it took me a lot of time to figure out how to do this best, so I want to keep it for the future and provide it to my blog visitors.
Override the WordPress default login action
Write the following to your functions.php-file:
add_action('wp_authenticate','checkTheUserAuthentication');
function checkTheUserAuthentication() {
$username=$_POST['log'];
$password=$_POST['pwd'];
// try to log into the external service or database with username and password
$ext_auth = try2AuthenticateExternalService($username,$password);
// if external authentication was successful
if($ext_auth) {
// find a way to get the user id
$user_id = username_exists($username);
// userdata will contain all information about the user
$userdata = get_userdata($user_id);
$user = set_current_user($user_id,$username);
// this will actually make the user authenticated as soon as the cookie is in the browser
wp_set_auth_cookie($user_id);
// the wp_login action is used by a lot of plugins, just decide if you need it
do_action('wp_login',$userdata->ID);
// you can redirect the authenticated user to the "logged-in-page", define('MY_PROFILE_PAGE',1); f.e. first
header("Location:".get_page_link(MY_PROFILE_PAGE));
}
}
Note that this script will login your useres totally without using their passwords, so use it carefully.
If you experience any problems with this way of authentication, make sure that the Cookies in the Browser are set and sent properly – make sure that setcookie() in wp-includes/pluggable.php uses all parameters of the setcookie()-function correctly. Especially check the values for COOKIE_DOMAIN, COOKIEPATH and SITECOOKIEPATH as we had and issue with that.
Already 7 comments belonging to "WordPress custom external authentication login/logout PHP script":
Kommentare abonnieren (RSS) or URL Trackback
Cedric
says:
on 19. July 2011 at 20:35 on clock
Check this out: http://www.cedricve.me/blog/2011/07/18/how-to-make-use-of-wordpress-passwords/ It explains how you can make an external login with the credentials of a wordpress installation. I hope this can help you ;)
Blackbam
says:
on 20. July 2011 at 18:44 on clock
Hey Cedric, thank for sharing this article about external authentication.
However your article is about logging in WordPress users into a custom session from a page outside the WordPress installation using the Username and Password of the WordPress installation. In spite of that, this article is about logging in users into WordPress using an external login mechanism (like the Username and Passwords of a huge company database) without using the WordPress Username and Password.
I hope the difference between the to lines of action is clear!
Ryan Wheale
says:
on 26. January 2012 at 03:31 on clock
I don't understand why you would use "username_exists" and "get_userdata" if your information exists in an external database. It seems like you would just get null values. Can you elaborate? Thanks.
Blackbam
says:
on 28. January 2012 at 18:41 on clock
This script is for undergoing the WordPress login mechanism by logging in users without knowing their actual password. If the external authentification was successful $ext_auth is true and you do not have to know any WordPress password (and therefore you do not have to synchronize or even KNOW any passwords).
The users must still exist in the WordPress database though, because WordPress will not work correctly otherwise. But you can simulate this, by writing a new user with the desired user name into the database (function: wp_create_user), if a user loggs in for the first time.
A possible use case for this is a SSO (Single Sign on) system, where you might and should not know the passwords of your users.
Is it clear now?
Ben Lobaugh
says:
on 23. February 2012 at 04:00 on clock
Thanks for posting this. This info is stupidly hard to find. Just as a point of clarification, after you are doing the external check to see if the user is valid externally you should probably be doing another check to see if they exist in the WP DB and if not create them first right? If I am understanding what I read correctly an id for the user has to be setup already? I think with your example I will be able to get my auth plugin almost up and running :)
Blackbam
says:
on 26. February 2012 at 22:56 on clock
1. Do the external check: The external login must be successful and the return value must be validated. If a remote request to another service is needed, use the http://codex.wordpress.org/HTTP_API">WordPress HTTP API. --> Yes
2. Doing another check to see if they exist in the WP DB and if not create them first right ---> Yes
3. EVERY user in WordPress has a unique ID, so we use this ID to identify a user in this script (Note: http://codex.wordpress.org/images/9/9e/WP3.0-ERD.png">WP Users Table). If the ID is found, our user is automatically logged in.
4. If the user NOT exists, there are two possibilities.
First possibility - The users are should be created automatically:
if($ext_auth && !username_exists($username)) { // create new user wp_create_user($username,$password,$email); }Add this code after this line: "$user_id = username_exists($username);". But notice, that wordpress NEEDS an user email. Username and email could be the same. If users are authenticated only using the external servers, you can generate a random password.Second possibility - The users must register to the WordPress powered site seperatly, but still authenticate via the external service. If this possibility is chosen, do something like:
header("Location:".get_page_link(REGISTER_PAGE));Hopefully things are easy to understand now. Maybe you can post a link to your new auth plugin here?Ben Lobaugh
says:
on 26. February 2012 at 23:17 on clock
Thanks, I appreciate the help. I am writing a mini tutorial on this also. I will send a pingback to this page.
Leave a comment: