Support » Plugin: Force Login » JWT Authentication

  • Resolved mickepalm

    (@mickepalm)


    Hi there,

    I have some issues with Force Login and JWT. The Force Login locked me out and the add_filter() doesn’t work. If I turned Force Login off all is fine again. Any ideas here?

    /Regards, Micke

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Kevin Vess

    (@kevinvess)

    Hi– thanks for using Force Login!

    Check out my response to an issue posted on GitHub:
    https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346231810

    I believe this issue needs to be addressed by the JWT Authentication plugin. That plugin does not pass its authentication result to the rest_authentication_errors filter, which core WordPress and Force Login use to check for authentication.

    An alternative option, if you don’t mind the REST API being publicly accessible, is to remove the v_forcelogin_rest_access filter:

    remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );
    
    • This reply was modified 7 months ago by  Kevin Vess.
    mickepalm

    (@mickepalm)

    Hi Kevin,

    Yes, I have already test all of this and none is working.

    I think you have right with the plugin does not pass its authentication but when I debug I hit v_forcelogin_rest_access filter and if I comment out the WP_Error line all works.

    The result is null and is_user_logged_in is false coz I need the tokens ID and in this moment I hasn’t login.

    /Regards, Micke

    Plugin Author Kevin Vess

    (@kevinvess)

    That’s correct– when you debug, a WP_Error() is returned when the v_forcelogin_rest_access filter runs because Force Login did not detect an authenticated user at that point.

    However, the issue is caused by the JWT Authentication plugin not passing its authentication result to the rest_authentication_errors filter, which core WordPress and Force Login use to check for authentication.

    The JWT plugin would need to be updated to fix this issue, or you may remove the v_forcelogin_rest_access filter as stated above.

    I recommend you contact their support forum about fixing their plugin.

    Thanks, Good luck!

    mickepalm

    (@mickepalm)

    I agree there!

    They doesn’t have any updated version here but I will see if I can work around it instead.
    I tried to remove the filter with any luck so I try this variant instead and it seems to work perfect.

    add_filter( ‘rest_authentication_errors’, ‘__return_true’ );

    Thanks for the answers …

    rcwalsh

    (@rcwalsh)

    @mickepalm Thank you! Adding add_filter( 'rest_authentication_errors', '__return_true' ); to the bottom of auth.php in my custom version of https://as.wordpress.org/plugins/jwt-authenticator/ helped me use that plugin and Force Login simultaneously.

    But I’m wondering if you or @kevinvess can help me understand: what did I just do by adding that line? Are there any downsides or risks?

    Thanks!

    Plugin Author Kevin Vess

    (@kevinvess)

    @rcwalsh by adding that filter to __return_true you’re allowing the WP REST API to always be publicly accessible.

    The only downside would be that your site content would be publicly accessible from the REST API without authentication.

    Also, check out this discussion on GitHub about this issue with the JWT Authentication plugin:

    https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346231810

    rcwalsh

    (@rcwalsh)

    Thanks for your response, @kevinvess !

    Ideally I’d like not to expose the WP REST API, so I want to learn how to edit my custom JWT plugin to work appropriately.

    The first thing I’ll try is moving add_filter( 'rest_authentication_errors', '__return_true' ); to within the if statement that checks whether the JWT token was valid.

    But I also see your comment here, which is different: https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346185653

    Maybe you’re saying that removing the filter in that same if would have the same effect as __return_true?

    If you could point me in the right direction, I’d appreciate it.

    Thanks for all of your amazing and generous work.

    Plugin Author Kevin Vess

    (@kevinvess)

    @rcwalsh

    Unfortunately, this is an issue with the JWT Authentication plugin. It does not pass its authentication result to the rest_authentication_errors filter which would be consistent with core handling.

    You’ll need to coordinate with JWT Authentication to fix this issue.

    The best advice or direction I can give on this issue has already been said; you need to have JWT pass its authentication result to the rest_authentication_errors filter.

    Instead of always passing __return_true to the rest_authentication_errors filter, you could write your own function that hooks into that filter to pass the JWT Authentication result.

    If you do find a solution to this, please share it here in case it’s helpful to others.

    Thanks, good luck!

    @kevinvess I’m not using https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/

    I’m using something custom that I slapped together inspired by https://as.wordpress.org/plugins/jwt-authenticator/, which is (I think) a different thing. My assumption is that it shares the same inadequacy (ie. that “It does not pass its authentication result to the rest_authentication_errors filter which would be consistent with core handling.”). But that plugin hasn’t been actively developed for a long time, and so there is no support, so my new plugin inspired by it relies just on me and whatever I can figure out.

    And I’m completely inexperienced with coding WordPress plugins but am excited that I’ve gotten this far.

    Thanks for your advice. I’ll study what you’ve written here and plan to share whatever I figure out.

    I was driving myself crazy trying to figure this out. I never could figure out the ‘priority’ parameter with how WordPress loads plugins in whatever order.

    So I deleted the Force Login plugin (so that it was no longer installed in the typical/official way) but then added it as a single file within my JWT plugin’s folder and then added require_once('wp-force-login.php'); to the bottom of that custom JWT plugin.

    Then in wp-force-login.php, I edited v_forcelogin_rest_access to look at $_SERVER['REQUEST_URI'] and allow JWT requests.

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.