[wp-hackers] Querying OAuth protected service during 'wp_login'

fkooman at tuxed.net fkooman at tuxed.net
Thu Dec 6 17:18:29 UTC 2012

On Wed, Dec 5, 2012 at 5:19 PM, Otto <otto at ottodestruct.com> wrote:
> Are you redirecting the user's browser to do authentication? Because
> you can't do that in an authenticate action, the login credentials
> won't be there when they come back.

Ah, that is exactly what I did, I see.

> The authenticate action happens *every* request, not just on the login
> screen or something like that. It should go get the information from
> wherever without extra user interaction. If you need to send them
> elsewhere and back, then you need to do that before authenticate, in
> which case wp-login or something might be preferred.

I'm back now to my original approach using wp_login action and the
auth_cookie_valid, because in both hooks it is possible the browser
gets redirected. First if no OAuth access token is available (during
wp_login), and later if the access token appears valid but is rejected
because the user revoked the access token (during auth_cookie_valid).
I'm using now the set_user_meta and get_user_meta to indicate whether
or not the roles should be retrieved.

Maybe some optimizations are still possible in this scenario? Thanks
so far for your assistance! The latest code can be found here:


More information about the wp-hackers mailing list