Hi,
I have implemented a plugin that replaces the built-in authentication with checking authentication from another application I have.
I followed instructions from http://ben.lobaugh.net/blog/7175/wordpress-replace-built-in-user-authentication and basically the code I have is:
add_action( 'init', 'my_auth_init' );
function my_auth_init() {
add_filter( 'authenticate', 'my_authentication', 10, 3 );
}
function my_authentication( $user, $username, $password ){
/* Retrieve correct user ID */
$user = new WP_User($ID);
if( $user->ID == 0 ) {
$user = new WP_Error( 'denied', __("<strong>ERROR</strong>: Not a valid user for this system") );
}
return $user;
}I got it to work with 3.8, so that the user did not see the login screen at all, when logged into the other system. But after upgrading to 4.0 it seems to force showing the login screen.
I've tried debugging this, and it seems to me that the function auth_redirect in wp-includes/pluggable.php sets the reauth parameter true when redirecting to wp-login.php. And wp-login.php gets the user my custom authentication returns in row 766 $user = wp_signon( '', $secure_cookie );. But after that, where I would expect it to redirect back to the page the user requested, it checks both the user and $reauth in row 791 if ( !is_wp_error($user) && !$reauth ) { and since reauth is set to true, it will not redirect, and instead shows the login form.
Am I missing something here? is there some filter I should set to disable the reauth, or to set the cookies before the redirection completely? Or does the user necessarily go to the login page?