Keeping password local

  • Resolved jorgeviejo

    (@jorgeviejo)


    4 years, 5 months ago

    Hi there! I wonder if there could be an option to use local password rather than external password; in other words, users would still log in with password stored in WordPress.

    I know it sounds more like an unfeature, but this way you might take advantage of syncing & blocking features while still relying on the WordPress engine for all login tasks (including password change).

    Thanks in advance!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author tbenyon

    (@tbenyon)

    Hey @jorgeviejo,

    Apologies for the delayed response.

    I’m not sure I fully understand your requirement but there is a ‘migration’ mode setting which may achieve what you are looking for.

    So the normal flow of the plugin is that when a username and password are entered on the login screen, the external database is queried. If the connection to the external database succeeds and the username exists in the external database then the user will be authenticated against that password hash.

    If the user does not exist, it will look to see if there is a local user in WordPress and log the user in with that username and password. (You can disable using the WordPress data as a fallback using ‘disable local login’ but I don’t think this is what you’re looking for).

    Now, there is another setting which is migration mode. Essentially it checks to see if a user with the username exists in the local WordPress install first and tries to login with that user. If not, it then looks to the external database to see if a user exists, and their password is valid and then creates the user in the WordPress database (which would then be used for future logins).

    It is important to note that the plugin does not currently support syncing to the external database. In other words, if you change the password in WordPress it will not update the password in your external database.

    I think I’ve answered your question so I’m going to mark this as resolved, however if you have any more question please don’t hesitate to post back here and I’ll be happy to help ??

    Thanks,

    Tom

    Thread Starter jorgeviejo

    (@jorgeviejo)

    Hi Tom, thanks a lot for your time, I do appreciate that!

    I’ll try to explain myself a little better. Suppose I have a user who exists only in the external database. Then migration mode gets the job done, because the plugin will retrieve the data from the external database and create the user accordingly.

    But what happens next? User now exists in local WordPress. So if later on I tell my external database to block the user in WordPress that simply won’t work because the plugin doesn’t even get to check the external database.

    So back to the ‘normal flow’. I can block/unblock the user in the external database and see it blocked/unblocked in WordPress. I can change user roles externally and see them changed locally. I could also change user password externally; if my external database was an IdP with password change features and the like, that would be awesome, but that is simply not the case. That’s why I wish I could keep using WordPress to manage password changes.

    The most simple fix I came up with is just that: enabling normal mode except that password hash is validated locally. Of course password syncing across databases would do too but that’s a lot to ask.

    Anyway I think your plugin is awesome, it has a lot of potential and works sooo smoothly, keep up with the good work!

    Regards.

    Jorge

    Plugin Author tbenyon

    (@tbenyon)

    Hey Jorge,

    There are a couple of solutions.

    I have a hook that allows you to write custom validation of the password. It was written to help users support custom hashing solutions but you could use it to validate against the local WordPress password.

    Alternatively, you could use the WordPress hook for when password change is made and update the external DB at that time. For ensured consistency you could block the password update in WordPress if your connection to the external db and the update was not successful.

    If one of these sounds useful I’m happy to thrash out a bit of pseudocode to get you started if it helps. ??

    Thanks,

    Tom ??

    Thread Starter jorgeviejo

    (@jorgeviejo)

    OK, tell me more about that custom hook.

    Plugin Author tbenyon

    (@tbenyon)

    This is just pseudocode but by using this hook, rather than use External Logins logic to validate if the password is correct, you do your own check.

    In this case we use WordPress’ built in wp_authenticate() method to validate the password.

    You could add additional logic to check to see if the user already exists is WordPress use one way of authenticating and if they do not exist use another way?

    I have not tested this – just showing as example. I document this hook in the FAQ if you want to have a read.

    
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
    $authenticateResponse = wp_authenticate($username, $password);
    return !is_wp_error( $return )
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

    Happy to help more if you need more help ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Keeping password local’ is closed to new replies.