Automatically logging into WordPress when logged into external app

  • I am building an app that will use WordPress to manage subscriptions and users, blogs and other stuff, but I want to build another external application that can use the API to pull user data to build out a custom dashboard.

    I don’t want to build a plugin because id rather keep it separate in case in the future I decide to use something else.

    My question is I have JWT setup to pull the necessary data from WordPress and can authenticate using a API request, but I want a persistent login across the two apps.

    For instance, if I login to my custom app, then go to manage my account at the wordpress site, it automatically logs me in and vice verser.

    How can I achieve this?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    It’s possible to have WP query an external resource to check for authentication. If valid, WP can go ahead and log you in. This can be done via the “authenticate” filter. If your filter callback returns a valid WP_User object, that user will become logged in. If it returns a WP_Error object, login will be denied. If it returns null, the normal WP process will attempt authentication. Thus this external resource must provide some sort of webhook or API for your filter callback to communicate with.

    Similarly, your app would need a WP webhook or API route through which it could request authentication of a user. Beware, this sort of alternative authentication can be a security vulnerability if the scheme is not carefully implemented. Working with an existing protocol such as JWT or oAuth is the safest approach.

    Thread Starter tbobker

    (@tbobkrer)

    If I go the JWT route which looks the easiest and secure way, how can I have it so that when a user logs into my external app that authenticates via JWT is automatically authenticated in the WordPress website? If I implement SSO Google Login on both, would that work?

    Moderator bcworkz

    (@bcworkz)

    A SSO plugin should work, but I’ve no experience with them. They would implement essentially the same procedure I’m suggesting. A user wouldn’t be automatically logged in per se, though it might appear that way. On any WP request, WP checks for an auth cookie where required. If one does not exist, WP normally redirects to the login screen. You’d interrupt this process to have WP check elsewhere for authentication. If it exists, WP would log in the user without further interaction.

    There’s no way to set an auth cookie from outside of WP. WP must do it, but we can alter how that gets done.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.