Sharing user and password with another application

Hi,

I am not “pro” in this area, but one solution is to send user credentials from wp site to your external application. Not sure if current WP REST API, but I think its for that 🙂
Anyway you can always use tool like Zapier what can copy any data from MySQL and save them to another database.

I don’t know how the two systems talk or your level of expertise with WordPress, but this is absolutely possible. One way would be to have your users log in (perhaps through a custom login interface) on your WordPress site. Upon login, start a session and set a session variable marking them as authenticated, and redirect them to your application.

Then in your application, check for that session variable/authentication. If authenticated, proceed. If not, redirect them to the login screen.

We’ve done this a ton – let WordPress handle the authentication, password hashing, password recovery, etc.

If your application is on a different server, then you can’t use sessions but we’ve tackled this before too. So here are two scenarios based on the different use case:

SCENARIO 1: WordPress and Application on Same Server
Here you could use sessions for authentication with a few functions. This assumes you’re having them log in via WordPress:

// Start a PHP session
session_start();

// Set a session variable when the user logs in via WordPress
function my_set_session(){
    $_SESSION[ 'authenticated' ] = 1;
    wp_redirect( 'https://www.myapplication.com' );
    exit();
}
add_action( 'wp_login', 'my_set_session' );

// In your application...
session_start();
if( 1 !== $_SESSION[ 'authenticated' ] ){
  // User is not authenticated. Redirect to WordPress
  header( 'Location: https://www.mysite.com/wp-login.php' );
  exit();
}

SCENARIO 2: WordPress and Application on different servers
In this case, we’d create a user table on the Application with 2 unique hashes – authentication tokens or unique IDs, if you will. In WordPress, we associate those hashes with the user via add_user_meta.

// Sessions aren't needed on the WordPress side now
// because you're sending them to another server.

// Get the user's authentication token in WordPress
function my_set_session(){
    $user_id = get_current_user_id();
    $token = get_user_meta( $user_id, 'my_token', true );
    $app_user_id = get_user_meta( $user_id, 'my_app_user_id', true );
    wp_redirect( 'https://www.myapplication.com/check_login.php?token=' . $token . '&id=' . $app_user_id );
    exit();
}
add_action( 'wp_login', 'my_get_tokens' );

// In your application...
// I'd still start a session to keep checking the user's authentication
session_start();
if( $_GET[ 'token' ] && $_GET[ 'id' ] ){
  $wp_token = $_GET[ 'token' ];
  $user_id = $_GET[ 'id' ];

  // Sanitize the $wp_token and $user_id, and then check those against
  // the values in your database. If they match, you've got an
  // authenticated user and you can set an authenticated session
  // variable. Otherwise, redirect them to log in.
}

I prefer the double token/id combination because it makes two values that a hacker would have to guess, just like a username/password combination.

With a little creativity, you could harden this up even more but hopefully this sends you down the right path. Let me know!

I write plugins that bridge WordPress to external applications, so I’m very familiar with this task. (I made one such bridge public, and it can be found in the plugin directory.)

In short, you aren’t going to solve this task with a WordPress-only solution. And messing around with sessions/cookies will not work if the two applications are on different domains — and it also opens the door to CSRF and XSS attacks. The only solution guaranteed to work is to “sync” the user tables of the two applications.

How is user information stored/used in your external application? Specifically, what is the hashing algorithm it uses for passwords, and what are the restrictions it places on usernames? If your external application uses PHPass for password hashing, this will be a fairly easy task. If it uses a different mechanism, then each application must be able to generate the other application’s password hashes. This is more difficult but straightforward. It’s a matter of taking the hashing code from one application, adding it to the other application, and changing authentication to test passwords against both hashing types.

You must also handle the issue of passing along a username that already exists in the other database. If the username is a duplicate, at best you will get an SQL error on the insert, but at worst you risk corrupting the database.

I hope this helps!

I know that I’m late to the party, but this sounds to me like what we used to call SSO 15 years ago: Single Sign-On. My bank still uses it. The concept is to have a separate authentication server that you login to, and it, in turn, logs into all the other systems, be they WordPress or otherwise. I had a user of one of my plugins want to use SSO, and I did a little research two years ago.

At that time, Auth0 looked like the most promising solution: https://auth0.com/

Yes, there is a WordPress plugin for Auth0: https://wordpress.org/plugins/auth0/

I also looked at Open Source SSO solutions (i.e. – running my own authentication server) but I didn’t have Root level access to a Linux web server at that time, so couldn’t fully explore that approach.

no