[wp-hackers] Querying OAuth protected service during 'wp_login'

fkooman at tuxed.net fkooman at tuxed.net
Wed Dec 5 11:06:44 UTC 2012

On Tue, Dec 4, 2012 at 7:04 PM, Otto <otto at ottodestruct.com> wrote:
> Try the 'authenticate' filter instead. It gets three parameters, the
> WP_User object (or null), the username and the password (which may be
> empty). It's expected to return a valid WP_User or a WP_Error, or the
> original $user parameter if it's doing nothing.

Thanks for your help!

It can also get WP_Error if no one is logged in... Apparently even at
priority 40 it gets triggered when displaying the login screen, so I
had to add a instanceof check.

> If you hook in at, say, priority 40, then you can see that the user
> has either successfully logged in (via username/password or via
> cookie), and do what you want to do. If what you do should invalidate
> their login, then you can just return your own WP_Error here,
> overriding the previous two checks. The message from the WP_Error will
> automatically get spit out onto the login screen. If they check out,
> then you can just return the same WP_User you got in the first place,
> and they'll be logged in.

There seems to be a problem here: the user is no longer logged in
automatically after returning from the OAuth server redirect, I get
the login prompt again. Although after logging in everything works as
expected (the role gets set). It seems somewhere something goes wrong
regarding the cookie validation? Not sure where the problem is...

The updated code:

I think I return WP_User everywhere where needed?

> Note that this authentication process happens every request, so you
> may want to save something as usermeta so that you don't repeat your
> OAuth stuff every time, and can just check that first and skip it if
> they've successfully auth'd before.

Yeah, I've implemented that now... it does seem to work :)

> Alternatively, if you want to tie your authentication into another
> system entirely, you could hook in at priority 10, do your
> authentication check, and *create* a new user in the WP database
> corresponding to whatever your user-list is, or pull the proper
> WP_User if the user already exists in WP. As long as you return a
> WP_User object, the password check and the cookie check will simply
> pass through and let the login happen. Note that the cookie-setting
> code happens after this, so by returning a valid WP_User, then that
> person will get the proper cookie and won't be needing to enter the
> username and password all the time, since the cookie check will detect
> them next time.

Yeah, that is something used by the simplesamlphp-authentication
plugin I think... I just want to setup the roles :)

Thanks again for your help!


More information about the wp-hackers mailing list