Title: Custom XML-RPC authentication
Last modified: August 20, 2016
---
# Custom XML-RPC authentication
* [charlielove](https://wordpress.org/support/users/charlielove/)
* (@charlielove)
* [14 years, 4 months ago](https://wordpress.org/support/topic/custom-xml-rpc-authentication/)
* I use a modified simpleSAMLphp SSO authentication plugin for my blog network
to allows a single sign-on using my main user database and then users are automatically
authenticated/created in WordPress. The simpleSAMLphp plugin breaks XML-RPC authenticate,
I know why and I’m happy enough with this BUT to provide a fix for users who
want to use the WordPress mobile apps and other XML-RPC tools I have written
a plug-in which allows users to set up a separate password for XML-RPC use which
is stored in the user meta data table.
* The problem is I can’t figure our how to extend the `login_pass_ok` or `login`
functions in class-wp-xmlrpc-server.php to allow my intended additional user
password to be used. My plugin code looks like this at them moment.
* ```
get_error_messages() as $message) {
?>
error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site. An admin user can enable them at %s'), admin_url('options-writing.php') ) );
return false;
}
// Let's run a check to see if credentials are okay
if (!function_exists('get_userdatabylogin'))
return new IXR_Error( 403, __( 'No user validation available.' ) );
//retrieve the user using the username
$user = get_userdatabylogin($user_login);
if(!$user)
return new IXR_Error( 403, __( 'User does not exist.' ) );
//get the user id from the user data
$user_id = $user->ID;
//retreive the stored hashed password array from the usermeta
$password_array = get_user_meta($user_id,'xml_rpc_password');
//stored the hashed password in an array so extract the hashed password from the array
$hashed_stored_password = $password_array[0];
//validate the hashed password with the user supplied one from XML-RPC
if ( !wp_check_password($user_pass,$hashed_stored_password) ) {
$this->error = new IXR_Error(403, __('Bad login/pass combination.'));
return false;
}
return true;
}
/**
* Log user in.
*
* @since 2.8
*
* @param string $username User's username.
* @param string $password User's password.
* @return mixed WP_User object if authentication passed, false otherwise
*/
function login($username, $password) {
if ( !get_option( 'enable_xmlrpc' ) ) {
$this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site. An admin user can enable them at %s'), admin_url('options-writing.php') ) );
return false;
}
// Let's run a check to see if credentials are okay
if (!function_exists('get_userdatabylogin'))
return new IXR_Error( 403, __( 'No user validation available.' ) );
//retrieve the user using the username
$user = get_userdatabylogin($user_login);
if(!$user)
return new IXR_Error( 403, __( 'User does not exist.' ) );
//get the user id from the user data
$user_id = $user->ID;
//retreive the stored hashed password array from the usermeta
$password_array = get_user_meta($user_id,'xml_rpc_password');
//stored the hashed password in an array so extract the hashed password from the array
$hashed_stored_password = $password_array[0];
//validate the hashed password with the user supplied one from XML-RPC
if ( !wp_check_password($user_pass,$hashed_stored_password) ) {
$this->error = new IXR_Error(403, __('Bad login/pass combination.'));
return false;
}
wp_set_current_user( $user->ID );
return $user;
}
}
?>
```
* I could just hack the class-wp-xmlrpc-server.php file and replace the two functions
but I would much rather have something that works correctly as a plug. Any ideas
how I can replace the functionality of these two functions?
Viewing 2 replies - 1 through 2 (of 2 total)
* [Hadis](https://wordpress.org/support/users/hadis89/)
* (@hadis89)
* [14 years, 2 months ago](https://wordpress.org/support/topic/custom-xml-rpc-authentication/#post-2475846)
* can you write how to hack class-wp-xmlrpc-server.php?
* [slbmeh](https://wordpress.org/support/users/slbmeh/)
* (@slbmeh)
* [14 years ago](https://wordpress.org/support/topic/custom-xml-rpc-authentication/#post-2475859)
* This is a rather old post, but I’ll add my two cents in case anyone were to find
this post trying to provide similar functionality.
* Most authentication in my experience provide authentication support by use of
the ‘wp_authenticate’ hook that is used called in wp-login.php. The xmlrpc server
login does not call the authenticate hook, but instead calls the wp_authenticate
function. Additionally, the login_pass_ok calls user_pass_ok, which then also
calls wp_authenticate.
* The wp_authenticate function is defined in pluggable.php, so you can write a
plugin that overrides the wp_authenticate function and calls the wp_authenticate
action and should provide authentication through xmlrpc and any other scripted
method that calls wp_authenticate.
Viewing 2 replies - 1 through 2 (of 2 total)
The topic ‘Custom XML-RPC authentication’ is closed to new replies.
## Tags
* [authentication](https://wordpress.org/support/topic-tag/authentication/)
* [SSO](https://wordpress.org/support/topic-tag/sso/)
* [XML-RPC](https://wordpress.org/support/topic-tag/xml-rpc/)
* In: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
* 2 replies
* 3 participants
* Last reply from: [slbmeh](https://wordpress.org/support/users/slbmeh/)
* Last activity: [14 years ago](https://wordpress.org/support/topic/custom-xml-rpc-authentication/#post-2475859)
* Status: not resolved
## Topics
### Topics with no replies
### Non-support topics
### Resolved topics
### Unresolved topics
### All topics