Create API for single sign-on with 3rd party site

Cross-site Scripting Issues

You cannot transfer WP auth cookies between domains. You also don’t want to store plaintext passwords for logging into another WP installation programmatically. So, you’ll have to have users log into WordPress, and then access their login status via an API endpoint from the third-party site. This lets WordPress handle all the authentication. It is pretty secure as a user will have to physically login to the WP side in order for the API endpoint to serve up the data to the third-party.

Create an API Endpoint

Check out this article I just wrote here: http://coderrr.com/create-an-api-endpoint-in-wordpress/

Also, you can see the code demonstration here: https://gist.github.com/2982319

You’ll have to figure out the logic for your own app needs, but this will allow you to create an endpoint where you can serve up anything you want from the WordPress side.

Since you’re using WordPress as the authentication site, you can use a check like is_user_logged_in(). If they are logged in, return a user object to the third party with whatever information they need.

Logging in From The Third-Party

From the third-party, they can link to your login page for a seamless experience using the redirect_to query var. Once logged in, it will pass them back to the third-party site.

http://sub.yourdomain.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.third-party-domain.com

Remote Logins

If you need to login users to WordPress from a third-party site, you can use some simple WP functions listed on this site: http://kuttler.eu/code/log-in-a-wordpress-user-programmatically/

You’ll definitely need to use a shared secret and create time based hashes off that secret to keep things secure. Basically, here’s what it would look like:

Third party sends request with a timestamp and a token generated by a shared secret:

$shared_secret="foobar"; //do not send this to the API endpoint
$timestamp = time();
$token = md5($shared_secret.$time_stamp);

WordPress Installation receives the request:

$shared_secret="foobar";
$timestamp = esc_attr($_GET['timestamp']);

if((time() - $timestamp) > 30) # Threshold is 30 seconds
    //do something here - TOKEN expired!

$token = md5($share_secret.$timestamp);
$token_to_check = esc_attr($_GET);

if($token == $token_to_check)
    //authenticated!

Related Posts:

  1. What is an Endpoint?
  2. Set up WP Authentication from External API
  3. how to authenticate for the REST API from a plugin and from command line
  4. How do I use the WP REST API plugin and the OAuth Server plugin to allow for registration and login?
  5. Authentication/API Questions
  6. Friendica integration using wordpress authentication
  7. Authentication for a mobile app connected via wp-rest api?
  8. Calling an API to do authentication / user login
  9. Add basic authentication of WordPress on any external PHP file?
  10. Set up WP Authentication from External API
  11. Working Around rest_forbidden_context
  12. Instructure Canvas API with WordPress [closed]
  13. Yahoo! Finance CSV file will not return Dow Jones (^DJI)
  14. Is there a developers api for craigslist.org
  15. How do you get the API key for Locu?
  16. New WP_Customize API – how does it work under the hood?
  17. Access WordPress API Outside of WordPress (command-line PHP)
  18. JWT authentication with WP – Approach
  19. Adding extra authentication field in login page
  20. WP REST API only returning partial list of users
  21. Using filters and actions for plugin API?
  22. WP set auth cookie using Ajax is not saved to browser
  23. Using JWT to authenticate a user with an external system?
  24. Should I store external API data in my WP database or keep it as a transient?
  25. How to get the attached gallery in the rest API?
  26. WP API : date_query parameter
  27. WordPress.org Support Forum API
  28. Connect external web app to wordpress
  29. How to get all posts (in chunks) via XML-RPC?
  30. How to add a custom parameter to a WP API default route?
  31. Get more than 10 posts in a specific category with the wordpress api
  32. curl POST work with user meta but not the custom user meta
  33. What’s the most minimal way in which a page can be hooked into WP?
  34. how to get nonce using json api
  35. What is the official way to consume the WordPress API? (api.wordpress.org)
  36. How to Hit External REST POST API in WordPress? [closed]
  37. API getting null values with wp_remote_post
  38. I am trying to use the Theme Customization API but I keep getting an error
  39. Create Session with JWT
  40. Extending WordPress REST API
  41. Headless WordPress – Issue with plugin path
  42. node-wpapi: how to handle authentication?
  43. Post body not working with wp_remote_post()
  44. Possible to use wordpress as publishing platform but programmatically inject content?
  45. How to avoid loading wp-load.php from external php scripts?
  46. are there any initiatives to work wordpress as microservices?
  47. Sanitize Disqus API results?
  48. I want to retrieve all posts of a blog without username & password
  49. Include default functions and methods
  50. Best Practice for re-using API Data in WordPress?
  51. WordPress Google Calendar Oath 404
  52. WordPress as GraphQL client
  53. Get non-rendered content from WP-API
  54. How to save post with different languages and linked them with WPML?
  55. Store regex expression in WordPress DB using Options API
  56. cURL to install theme
  57. Set Title from Custom Template
  58. body_class REST field in WP-API
  59. Authenticating a user with the WP-API V2 in Postman
  60. Submit comment via JSON from Android device
  61. WP List Table in custom post type
  62. Easiest way to call an External rest API?
  63. How to send messages when a customer is registered
  64. How to set a cookie for logged in users to md5($user->ID . “my_secret”)?
  65. Save external API calls in WordPress
  66. Custom API plugin to execute 3rd party API to retrieve data
  67. Customizer JS API get value of customizer field
  68. How to add an endpoint for my custom post type? /wp-json/wp/v2/posts is working but it didn’t in the custom post
  69. Adding tags when creating new post
  70. JSON API and notification about registration
  71. Where to put API Code?
  72. Implement External API into WordPress [closed]
  73. Integrate WooCommerce to PromoSoftware Rest API
  74. term_exists returns NULL
  75. Consuming an external API to publish/post to wordpress
  76. WordPress API Create post content
  77. Custom Endpoint – Does it possible to use PUT method with WP API Rest?
  78. Solution for processing lots of data with CRON/API, dealing with memory/timeout issues
  79. WordPress API causing fatal error
  80. woocommerce api echo out response
  81. Limit the number of external API calls per second
  82. WordPress Theme/Plugin Information API Response to Text and Button
  83. Composer Installed Package with WordPress Rest API Endpoint
  84. Is there a way to get Google My Business photos on WordPress with the API or other?
  85. How to use following API with WordPress?
  86. rest_cannot_create_user
  87. Implementing URL JSON API Data into Website
  88. How to use filters/params in wordpress as headless cms api
  89. How do I filter Child Posts by Parent Post ID for Custom Post types in WordPress REST API response?
  90. Rest WP_Error always return null
  91. Using the JSON API via HTTPS and HTTP
  92. Posting data from Ionic app to WordPress
  93. WordPress REST API Endpoint (Authors and Categories latest posts)
  94. Stop Vimeo video with javascript – inside a loop and using a modal window
  95. REST API And Error Codes – No Message
  96. Get full page HTML for a non-public WordPress page
  97. Handle POST request sent from an external site for login?
  98. Send Order Confirmation automatically to customer’s mobile number
  99. XMLRPC: How to retrieve possible custom fields for a new post?
  100. display posts, pages and custom post types from another wordpress site

Leave a Comment