HTTP Authentication Plugin »

Authentication Plugins

Update: This patch has been added to WordPress as of 1.5.1. The most recent version of the plugin is available from the plugin repository.

Prior to WordPress 1.5, no hooks existed for authentication plugins. Thus, to authenticate users through GatorLink or another external authentication scheme, changes to WordPress core were needed. Fairly significant changes to wp-login.php, for example, made upgrading to a new version of WordPress more difficult.

With WordPress 1.5, some hooks into the authentication process have been added. This opens the doors for authentication plugins.

Using External Authentication

As part of UF’s efforts to use WordPress, Web Administration has developed an HTTP authentication plugin. This plugin can be used in any situation where your Web server sets the REMOTE_USER environment variable. With .htaccess files, you can use any of the authentication mechanisms available in Apache, such as basic authentication.

To properly lock down WordPress and use the HTTP authentication plugin, you need two .htaccess files: one protecting wp-login.php and one protecting the wp-admin directory.

For wp-login.php, add something like the following to your .htaccess file at the root of your WordPress installation (create the file if you don’t have it already):

<Files wp-login.php>
  AuthName "GatorLink"
  AuthType GatorLink
  GatorLinkTimeout 60
  GatorLinkVerbose Off
  Require user dwc
</Files>

For the wp-admin directory, create an .htaccess with something like the following:

AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc

For basic authentication, you’ll need to change the AuthType, remove the GatorLink options, and specify the location of your AuthUserFile.

The HTTP authentication plugin uses the REMOTE_USER environment variable as the WordPress username and password. You still create users in WordPress (so that you can assign them a level), but authentication is handled externally.

API Extensions

Some minor changes were made to WordPress to extend the authentication API:

  • wp-login.php
    • Add lost_password hook to allow plugins to disable this action.
    • Move retrieve_password hook to allow plugins to disable this action before an email is sent.
    • Move reset_password hook to allow plugins to disable this action before an email is sent.
    • Add wp_authenticate hook to allow plugins to handle authentication. The username and password variables are passed by reference so plugins can pass the information back to wp-login.php.
  • wp-admin/profile.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/user-edit.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/users.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.

See Also

This entry was posted on Wednesday, March 2nd, 2005 at 10:09 pm and is filed under WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

18 Responses to “Authentication Plugins”

  1. Hugos House of Weblog Horror » Blog Archive » Authentication Plugins Says:
    March 7th, 2005 at 11:14 am

    [...]
    Wer sein Wordpress gegen externe Benutzerdatenbanken authentifizieren will: der Authentication Plugins Patch erweitert WordPress um die nötigen Hooks um es [...]

  2. Matt Says:
    March 9th, 2005 at 5:52 pm

    I just checked this in, let me know how it looks.

  3. Matt Says:
    March 9th, 2005 at 5:53 pm

    Also you should add your plugin to wp-plugins.org.

  4. Eric Pierce » Thoughts on blog@USF 2.0 Says:
    April 15th, 2005 at 1:34 pm

    [...] gins we’re using moved over without changing anything and a developer at UF wrote an authentication plugin that is a big improvement over the LDAP patch we’ [...]

  5. Nurm's blog Says:
    April 23rd, 2005 at 7:23 am

    imap authentication plugin

    We’ve set up a new blog for people to start playing with at work. As part of the set up I wanted to link back into the central authentication used for workstation login, etc… So the options were really kerberos, or radius. As the authority is an …

  6. Mo-ing » 2 Authentication plugins Says:
    April 24th, 2005 at 9:16 pm

    [...] here  

    Through Photo Matt, here are two auth plugins which are interesting: * HTTP auth * IMAP auth

     
    [...]

  7. Eric Pierce » Blog Archive » Thoughts on blog@USF 2.0 Says:
    April 25th, 2005 at 8:41 pm

    [...] gins we’re using moved over without changing anything and a developer at UF wrote an authentication plugin that is a big improvement over the LDAP patch we’ [...]

  8. Martin Cleaver Says:
    June 28th, 2005 at 9:52 am

    Hi, does this mean that Wordpress can use a htpasswd file as its master list of users?

    I want to use Wordpress to help http://twiki.org/cgi-bin/view/Codev/BlogginInTWiki

  9. dwc Says:
    June 28th, 2005 at 12:40 pm

    Martin,

    I’m not familiar with TWiki’s user system, but WordPress would most likely work in this situation. For example, if TWiki can use Apache’s mod_auth_digest, then you could use the http-authentication WordPress plugin to use the same user database.

    Try downloading version 1.1 and looking at the readme.txt. At the very least, you’ll need to install the plugin, add your users to WordPress, and then set up your .htaccess file.

    Let me know if you have any questions.

  10. Martin Cleaver Says:
    July 18th, 2005 at 3:30 pm

    Thanks…

    Does this http-authentication WordPress plugin provide a mechanism for a user to register or change the password or is that done elsewhere?

    Thanks. M.

  11. dwc Says:
    July 18th, 2005 at 10:38 pm

    Martin,

    The plugin assumes you have an existing mechanism for managing users. For example, you could use mod_auth_ldap against an existing LDAP directory.

    The plugin is actually very simple - it just looks for a username provided by Apache and passes it into the WordPress authentication code.

  12. Steve Says:
    May 13th, 2007 at 7:58 am

    I’m a first time wp; have the plugin in working but for some reason it seems to block the css file from loading so my site is looking very retro at the moment - any ideas?

  13. dwc Says:
    May 14th, 2007 at 2:49 pm

    Steve,

    Could you check your server logs for hits to the CSS file? The status code might be helpful in debugging the problem.

  14. Senpai Says:
    June 6th, 2007 at 3:00 am

    I successfully used your plugin to integrate a Wordpress 2.2 installation with Active Directory, thanks!

  15. Stephen Says:
    July 8th, 2007 at 5:36 pm

    Awesome work, thanks a lot. This was a huge help with something I was trying to get done.

  16. Andrisi Says:
    August 27th, 2007 at 1:49 pm

    Does it support auto login. So the users don’t have to click login at all. I don’t see how to implement this in WP. Any suggestions? Thanks!

  17. dwc Says:
    August 29th, 2007 at 6:24 pm

    Andrisi,

    Off the top of my head, I don’t think that’s supported. For my sites the users are almost always logging into the WordPress administration section first.

    However, I’d be happy to take a patch to add support for that. You could probably use an early plugin hook to support auto-login. The patch should make this behavior optional, as with the auto-create option added previously.

  18. dwc’s Development Blog » Blog Archive » HTTP Authentication Plugin Says:
    April 3rd, 2008 at 11:17 am

    [...] Blog Ramblings by University of Florida Web Developer Daniel Westermann-Clark « Authentication Plugins iCal Events Plugin [...]

Leave a Reply