Authentication Plugins

Update: This patch has been added to WordPress as of 1.5.1. The most recent version of the plugin is available from the plugin repository.

Prior to WordPress 1.5, no hooks existed for authentication plugins. Thus, to authenticate users through GatorLink or another external authentication scheme, changes to WordPress core were needed. Fairly significant changes to wp-login.php, for example, made upgrading to a new version of WordPress more difficult.

With WordPress 1.5, some hooks into the authentication process have been added. This opens the doors for authentication plugins.

Using External Authentication

As part of UF‘s efforts to use WordPress, Web Administration has developed an HTTP authentication plugin. This plugin can be used in any situation where your Web server sets the REMOTE_USER environment variable. With .htaccess files, you can use any of the authentication mechanisms available in Apache, such as basic authentication.

To properly lock down WordPress and use the HTTP authentication plugin, you need two .htaccess files: one protecting wp-login.php and one protecting the wp-admin directory.

For wp-login.php, add something like the following to your .htaccess file at the root of your WordPress installation (create the file if you don’t have it already):

<Files wp-login.php>
  AuthName "GatorLink"
  AuthType GatorLink
  GatorLinkTimeout 60
  GatorLinkVerbose Off
  Require user dwc
</Files>

For the wp-admin directory, create an .htaccess with something like the following:

AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc

For basic authentication, you’ll need to change the AuthType, remove the GatorLink options, and specify the location of your AuthUserFile.

The HTTP authentication plugin uses the REMOTE_USER environment variable as the WordPress username and password. You still create users in WordPress (so that you can assign them a level), but authentication is handled externally.

API Extensions

Some minor changes were made to WordPress to extend the authentication API:

  • wp-login.php
    • Add lost_password hook to allow plugins to disable this action.
    • Move retrieve_password hook to allow plugins to disable this action before an email is sent.
    • Move reset_password hook to allow plugins to disable this action before an email is sent.
    • Add wp_authenticate hook to allow plugins to handle authentication. The username and password variables are passed by reference so plugins can pass the information back to wp-login.php.
  • wp-admin/profile.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/user-edit.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/users.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.

See Also

Comments

Comment from Matt on

I just checked this in, let me know how it looks.

Comment from Matt on

Also you should add your plugin to wp-plugins.org.

Comment from dwc on

Martin,

I’m not familiar with TWiki’s user system, but WordPress would most likely work in this situation. For example, if TWiki can use Apache’s mod_auth_digest, then you could use the http-authentication WordPress plugin to use the same user database.

Try downloading version 1.1 and looking at the readme.txt. At the very least, you’ll need to install the plugin, add your users to WordPress, and then set up your .htaccess file.

Let me know if you have any questions.

Comment from Martin Cleaver on

Thanks…

Does this http-authentication WordPress plugin provide a mechanism for a user to register or change the password or is that done elsewhere?

Thanks. M.

Comment from dwc on

Martin,

The plugin assumes you have an existing mechanism for managing users. For example, you could use mod_auth_ldap against an existing LDAP directory.

The plugin is actually very simple – it just looks for a username provided by Apache and passes it into the WordPress authentication code.

Comment from Steve on

I’m a first time wp; have the plugin in working but for some reason it seems to block the css file from loading so my site is looking very retro at the moment – any ideas?

Comment from dwc on

Steve,

Could you check your server logs for hits to the CSS file? The status code might be helpful in debugging the problem.

Comment from Senpai on

I successfully used your plugin to integrate a WordPress 2.2 installation with Active Directory, thanks!

Comment from Stephen on

Awesome work, thanks a lot. This was a huge help with something I was trying to get done.

Comment from Andrisi on

Does it support auto login. So the users don’t have to click login at all. I don’t see how to implement this in WP. Any suggestions? Thanks!

Comment from dwc on

Andrisi,

Off the top of my head, I don’t think that’s supported. For my sites the users are almost always logging into the WordPress administration section first.

However, I’d be happy to take a patch to add support for that. You could probably use an early plugin hook to support auto-login. The patch should make this behavior optional, as with the auto-create option added previously.

Comment from Bilinen on

I’m a first time wp; have the plugin in working but for some reason it seems to block the css file from loading so my site is looking very retro at the moment – any ideas

Comment from dwc on

It sounds like your authentication configuration might be incorrect. Can you check the Apache logs for more information?