Comments on: Authentication in WordPress 2.8

By: Claas

Claas — Wed, 24 Feb 2010 22:12:56 +0000

Or a german version? please!

By: reiner

reiner — Fri, 22 Jan 2010 12:15:41 +0000

Do you plan to provide a french version of the plugin

By: Will Norris

Will Norris — Sat, 07 Nov 2009 18:02:12 +0000

@Vince: no, I am unaware of any kind of federated identity support at LinkedIn.

By: Vince

Vince — Sat, 07 Nov 2009 11:49:30 +0000

I am building a company blog using WP and wondered which of these solutions, OAuth or OpenID, will allow visitors from LinkedIn to login and comment? Thanks

By: Will Norris

Will Norris — Tue, 27 Oct 2009 19:56:42 +0000

@Jerod: see my reply to Clifton at http://wordpress.org/support/topic/317959

By: Jerod Santo

Jerod Santo — Tue, 27 Oct 2009 19:49:36 +0000

I have to agree with Clifton and say that I’m confused about this filter chain and think it could have security concerns. Will, could you please address this issue?

By: Denis

Denis — Wed, 07 Oct 2009 15:12:03 +0000

@Stephen Paul Weber

Totally agree!

We recently had to relaunche 2 projects (Tourist.de / linksilo.de ) due to massiv Problems with WP Core.

Keep the Core smart! (+:

By: Clifton Griffin

Clifton Griffin — Mon, 05 Oct 2009 15:02:59 +0000

Hi WIll, Thank you for this write up. I have an LDAP authentication plugin that currently relies on replacing wp_authenticate(). I did not notice the new filter until this morning as my plugin continued to work after the transition from 2.7.x to 2.8.x.

I do have one question for you that I am having troubles answering. It seems that the filters are applied in order of priority. For example, authenticating with username/password in WP is set as a priority 20 while using a cookie is set at 30. I assume my integration should use 10 as that seems to be the default for added functionality.

I also grasp the idea of deferring to higher priority plugins: if ( is_a($user, 'WP_User') ) { return $user; }

However, when it comes to authentication a chain of multiple authentication methods which can say yea/nay to a username/password combination is inherently insecure. For instance, if my plugin attempts to log the user in with LDAP and fails, it should fail permanently, not give the same credentials a shot at the local database.

This widens the effective attack target and essentially creates two passwords (or more) that can access one username's account.

In my current architecture I have handled this by rewriting wp_authenticate as I see fit. I allow users to specify a login mode that either permits failed logins to hit the wp system for another try or fails permanently.

However, using filters it seems that it will simply keep moving down the chain regardless of what I do. Is this true? Am I missing something obvious?

Thanks in advance, Clif

By: OpenID and WordPress Core — Will Norris

OpenID and WordPress Core — Will Norris — Tue, 29 Sep 2009 20:18:30 +0000

[…] were necessary to allow plugins to provide that functionality. In fact, I overhauled how the authentication system is extended in WordPress 2.8 simply to make things like OpenID and OAuth much easier to […]

By: » New plugins tackling emerging technologies

» New plugins tackling emerging technologies — Thu, 17 Sep 2009 08:20:43 +0000

[…] to find anything conclusive but learnt quite a bit on the open access plugin that is used through Will Norris and I am trying to clarify if what holds true for 2.8 holds true for […]