2011
09.01

Recently I finished a WordPress MultiSite project, for one of the biggest blog networks here in Hungary.
They are switching to WordPress ;)

But, the question for today is how can we integrate a 3rd party authentication method in WordPress, and on the hand how can we let the super admin users to login WordPress credetials, without having a valid username/password in the 3rd party authentication system.

Sounds intresting?

Let’s go ;)

So WordPress has some so called ‘pluggable functions’, there are in wp-includes/pluggable.php.
These functions can be overridden from plugins, multisite plugins or by lower level functinalities like cache.php, db.php or object-cache.php in wp-content root.

My first thought was it’ll be sooo easy, just overwrite this function, and we’re ready.
Okay, but how can we handle unique users, such as super admins? Well… Then we have to keep, the ordinary login system as well.

The login process is mainly done by ‘authenticate’ action and it’s filters.
One of the authenticate action filters is wp_authenticate_cookie which puts down a cookie, that holds your session.

So, first of all I remove every filter from the ‘authenticate’ action.
Then read and reorder some stuff.

1
2
3
4
remove_all_filters('authenticate');
add_filter('authenticate', 'my_super_admin_check', 1, 3);
add_filter('authenticate', 'my_authenticate', 20, 3);
add_filter('authenticate', 'wp_authenticate_cookie', 30, 3);

So first I’m calling the super admin checker, then my custom authentication method (what I won’t share),
then we check for the authenication cookie.

During the authentication method the error handling and reporting should be done by returning with a WP_Error class,
with an error identifier, and a custom text.

So our error handling should be something like this,
it’s a pretty common error handling around WordPress:

1
2
3
4
    if(date('w') == 1)
    {
      return new WP_Error( 'monday_error', "<strong>ERROR</strong>: I won't let you in today, man it's Monday :(" );
    }

My super admin checker does only two things.
First it gets a list of superadmin usernames, than it checks if it matches the given username. If it does so, we hook back the ordinary authenticate method to the workflow.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function my_super_admin_check($user, $login, $password)
{
    if(!empty($login) && !empty($password))
    {
        $super_admins = get_super_admins();

        foreach ($super_admins as $super_admin)
        {
            if (strtolower($login) == strtolower($super_admin))
            {
                add_filter('authenticate', 'wp_authenticate_username_password', 10, 3);
            }
        }
    }
}

The only thing to notice about this piece of code is that, we have to transform the usernames to lowercase, thus they are case insensitive now, but the system stores superadmin names the way they were typed in.
That can lead to confusions.

That’s all for now ;)

1 comment so far

Add Your Comment
  1. This can be a interesting publish! Many thanks for that! Using sincerely Luke aka couchgool.