Walls off a Wordpress Site so that only users authenticated to an external site may access it.
This plugin will interact with an external application to verify that a user is authenticated before allowing access to the page.
Drop this directory into your plugins folder and activate it. Go to the settings page and configure all of the options. If any of the options are not set or are invalid, the plugin will not run.
This plugin requires that the external application respond to two different requests:
-
A redirector. Requests made to this endpoint will verify that the user is authenticated. If not, it should redirect to a sign in page. Once the user is authenticated, it should generate a valid JSON Web Token (JWT) with
issandsubkeys. Then it should redirect back to the Wordpress site with the token included as a GET variable (http://wordpresssite.com?token=). -
A session verifier. Requests made to this endpoint will expect a GET variable named
tokencontaining a JWT (the same token generated by the redirector). It should decode the token and check itssubkey. If the sub value corresponds to a valid user, it should return a JSON string containinglogged_in: truealong with any information you want to share about the user (first name, last name, email, etc.). If the sub value doesn't correspond to a valid user, it should return a JSON string containinglogged_in: false.
The domain of the external site. Exclude the protocol and any trailing slashes. Ex. example.com
The path on the external site to redirect unauthenticated users to. The page at that path should authenticate the user and redirect them back to this site. Include the opening slash. Ex. /external-auth
The path on the external site to query to retrieve information on the authenticated user. The page at that path should receive a JWT token and return JSON containing the user's information. Ex. /api/session
The key to use to decrypt JWT session tokens sent by the external site. Get this from the administrator of the external site.
The expected issuer of the external site's token. As an extra layer of security, after decrypting the token from the external site, the iss key should match the value given here. Get this from the administrator of the external site. In most cases, it will be the same as the value of the External Site Domain setting. Ex. example.com
The prefix to use when creating cookies. Best practice would be to begin and end with an underscore. Ex. sitename_ext_auth
The duration (in seconds) that a user's session should last before re-authenticating with the external application. A value of 0 will cause the session to last until the browser is closed (default). Ex. 10800 (3 hours)
Check this option if requests made to the external site should use https instead of http.
If the options are set correctly and the external site is configured correctly, the plugin will take care of the rest.
The plugin provides a function that can be used to access information about the currently authenticated user from your site's code:
echo \LR_External_Authentication\current_user('user_first_name');The available keys that you can pass to the method are dependent on the information provided by the external site's session endpoint.
- First public release.