0

I have a Java Web App which contains users. On the other side, I have a wordpress installation.

I have a requirement that users from my java app should be also avaible in wordpress (in other words: I need to authorize in Wordpress users with credentials from my Java App).

Since I'm Java developer and have only very basic knowledge of Wordpress I was looking for some appropriate plugin. I did some research and found 2 things:

  1. I have found something called Keyring
  2. I've also spotted this Set up WP Authentication from External API SE Thread regarding authorizing ussers from externall sources

However, in both cases some php deveopment sould be done.

My question is, if there is any other way in Wordpress side to configure external user authentication but without developing anything? Or the way by using Keyring or/and writing own filter is the right one?

What's is important I want to keep this mechanism simple because it will be working only internally.

Improve this question

1 Answer 1

Reset to default
3

There are 2 built in methods, and options for extending the REST API. Note that you can't use these to create new authenticated sessions or register new users.

Using a 3rd party Service for Login

There are filters that allow you to intercept the login checking and the login form. These can be used to redirect the user on login to a 3rd party site. When the 3rd party has authenticated the user and logged them in, it redirects the user back to your WP site where you can then either create a new user based on their details, or create a login session. This "user" is entirely internal and not something the visitor would use to login.

This is how most login federation works even outside of WordPress, as well as how popular plugins for implementing login via services such as auth0, Facebook logins, Google, OpenID, etc are all implemented.

Without this, there would be no way to get user IDs for a logged in user, which would break most of WordPress.

Speaking to WordPress Via The REST API

You'll want to authenticate and communicate with the REST API, allowing easy JSON based communication with the WordPress site. This should simplify things, and provide data in a machine readable fashion that Java is happy to read and process. It'll also allow you to use common libraries to communicate with WordPress instead of building the API requests from scratch

Speaking to WordPress from Java via the REST API

Built In Authentication Methods for REST API

any other way in Wordpress side to configure external user authentication but without developing anything?

No. The only authentication WordPress provides out of the box is:

  • cookie + nonce based authentication, standard method out the box
  • Basic Auth with Application passwords, the simplest but least secure option

Keep in mind that you can't use these to start sessions, there is no way to login with the REST API out of the box or to register, so these need to be handled separately. Application passwords have to be preconfigured and cookie based auth requires you to login first via the browser.

Additional Plugin Based Authentication Methods

There are however plugin based solutions, specifically ones that rely on widely accepted standards that aren't unique to WordPress. These implement standardised authentication protocols such as:

  • Oauth1, you can use this with the REST API to authenticate from Java
  • Oauth2, like Oauth1 you could use this, I'd recommend this over OAuth1, assuming your site uses SSL/TLS/Https
  • SAML, you could authenticate with a SAML provider, and use that instead of WP to handle your accounts, and install a WP plugin to make WordPress use the SAML provider too. SAML is more popular with enterprise solutions and software, but more involved, with multiple types and schemes for implementing it
  • JWT, avoid if possible for security reasons, not just in WP, it's attractive but fundamentally flawed, I mention it for completeness
  • Raw Basic Auth, the simplest but least secure option
  • Rolling your own, you could implement a REST API endpoint or two to handle user login and registration, but this is a very bad idea. There's a reason people who figured this out wrote standards such as OAuth or SAML, think of it like rolling your own cryptography, unless you have a degree in the subject you'll build something insecure with bugs, not worth the hassle

Note that these protocols are not WordPress protocols, but general standards used across numerous pieces of software.

As an example, I have a CLI application that requires the user to be authenticated, using a WordPress site to store data/users/etc. In order to login the application uses OAuth1 to communicate with WordPress and exchange details.

For your Java application, you could communicate with WordPress via OAuth2 to authenticate your user, perhaps even show an inline dialog showing a login form to approve.

Misc

Or the way by using Keyring or/and writing own filter is the right one?

This isn't a single problem, if you pick a standard then you can break this apart into a pure WP problem, and a pure Java problem. You'll get 100x as many results for implementing OAuth2 client in Java than you would for logging into WP with Java. The same for logging into WP with OAuth2.

However, Java questions are not in this stacks scope ( try stack overflow ), neither are plugin recommendations ( there's a software recommendations stack ).

Improve this answer
5
  • Ok thanks for the answer - one note, that I have my users in Java App and I want the to login in WP (you answer suggested the opposite way) Commented Jan 24, 2020 at 15:00
  • On the contrary, users can login from the app, but the app can use a number of methods to authenticate with the WordPress installation. For example, I have a CLI tool that requires login, and it uses OAuth1 to do so, I know of other tools that use OAuth2 to login. If your goal is to allow users to register and login without ever even knowing WordPress is involved, that's something else, and not what you originally asked ( be careful that what you meant and what you said are the same thing ). If registration is needed, that can be handled as a related problem ( but not the same ) Commented Jan 24, 2020 at 16:10
  • Still i think i’m beeing missinderstood. I don’t want WP handle users, on contary. I want WP to ask my Java app for users and if possible - synchronize them, so if in my Java app i delete user then they won’t be able to login in WP. Commented Jan 25, 2020 at 22:02
  • you need a user table in WordPress. You can create and manage those users as if they were shadows of a user system elsewhere, that's not an issue, and it's quite widespread. E.g. a client I work with uses a 3rd party service for login, when users try to login we send them to that service for authentication and then they're redirected back. We then create a user for them in WP based on what that service gives us. We also have endpoints that the service can hit to tell us to log them out. Commented Dec 1, 2022 at 18:28
  • @PastorPL I've updated my answer, it might make more sense now, but I think there's been a fundamental misunderstanding at your end about how federated logins work and how sites let you login using a 3rd party or external service. Your WP install will have a user table with rows for each user that logged in via your external service, this is unavoidable. That does not mean users will have to use a WP login form or do WP user management. Commented Dec 1, 2022 at 18:34

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.