Login to WordPress web with JWT

token-login.php

<?php
/*
  JWT TOKEN LOGIN -- Automatically logs a user in a WordPress site with JWT

  This script allows you to log a user into a WordPress site automatically 
  based on his/her JSON Web Token (JWT). This assumes that you use the
  following plugin and set it up properly on your WordPress site to enable
  JWT authentication via REST API.

  JWT Authentication for WP REST API
  https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
  
  This file is to be placed along side your WordPress' index.php 

  Example use case :

  You have an external system that uses the WordPress user database for login.
  Login is done on that external system via WordPress REST API and using the
  above mentioned plugin, where you will get a token. If you want to send the
  user to the main WordPress site and have him/her automatically logged in,
  you can send him/her to token-login.php?jwt=<token>, where <token> is the
  token string from previous REST API authentication.
*/
    
require('wp-blog-header.php'); 
require('wp-content/plugins/jwt-authentication-for-wp-rest-api/includes/vendor/autoload.php');

use \Firebase\JWT\JWT;

if (!isset($_GET['jwt'])) {
    header('Location: /wp-login.php');
}
$token = $_GET['jwt'];
$token = decode_token($token);

if ($token !== false) {
    $user_id = $token->data->user->id; 
    $user = get_userdata($user_id);
    $user_login = $user->user_login; 

    wp_set_current_user($user_id);
    wp_set_auth_cookie($user_id); 
    do_action('wp_login', $user_login); 
    // redirects to home
    header('Location: '.home_url());
} else {
    $logout = str_replace('&amp;', '&', wp_logout_url(home_url()));
    header('Location: '.$logout);
}


function decode_token($token) {
        $secret_key = defined('JWT_AUTH_SECRET_KEY') ? JWT_AUTH_SECRET_KEY : false;
        if (!$secret_key) {
            return false;
        }

        /** Try to decode the token */
        try {
            $token = JWT::decode($token, $secret_key, array('HS256'));
            /** The Token is decoded now validate the iss */
            if ($token->iss != get_bloginfo('url')) {
                return false;
            }
            /** So far so good, validate the user id in the token */
            if (!isset($token->data->user->id)) {
                return false;
            }
            /** Everything looks good return the decoded token if the $output is false */
            return $token;
        } catch (Exception $e) {
            return false;
        }
}

Are you sure it is the same domain name between the wordpress installation the /token-login.php?jwt= ...? Sometimes the difference is in www and no-www. On Mon, Jun 28, 2021 at 9:56 PM Blaine M Lawson ***@***.***> wrote:

…

***@***.**** commented on this gist. ------------------------------ Hey, Thank you so much for your response. So I believe I may have successfully implemented your code, the auth token is decoded. It just appears that the cookies aren't getting sent/received as expected. Oddly, I receive them when attempting the API call via Insomnia, but not when I use the /token-login.php?jwt=.... from Chrome. What do you think? On Fri, Jun 25, 2021 at 8:20 PM Iszuddin Ismail ***@***.***> wrote: > ***@***.**** commented on this gist. > ------------------------------ > > I haven't tested this recently. But seeing that the plugin that you need > to use still works, this snippet should probably still work. Let me know if > you need help with you setup. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > < https://gist.github.com/b9c46c4b27bfe8461631f4c58e8f5d3d#gistcomment-3793344 >, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/ALJ2LNWOIR7QBQB6Y4I2AQLTUUMLTANCNFSM47KLPVEA > > . > — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://gist.github.com/b9c46c4b27bfe8461631f4c58e8f5d3d#gistcomment-3795463>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALCDQO5VY6OAPVPZQJHFMDTVB5RZANCNFSM47KLPVEA> .

-- Regards, Iszuddin Ismail

It has taken me a while, since I tried to make this work by reading cookies established from another domain (for security). I couldn't get that to work, so I'm using your file exactly as you prescribed. I think it's cool that you've been so responsive and willing to help. Thank you. On Mon, Jun 28, 2021 at 10:34 AM Iszuddin Ismail ***@***.***> wrote:

…

***@***.**** commented on this gist. ------------------------------ Are you sure it is the same domain name between the wordpress installation the /token-login.php?jwt= ...? Sometimes the difference is in www and no-www. On Mon, Jun 28, 2021 at 9:56 PM Blaine M Lawson ***@***.***> wrote: > ***@***.**** commented on this gist. > ------------------------------ > Hey, > > Thank you so much for your response. So I believe I may have successfully > implemented your code, the auth token is decoded. It just appears that the > cookies aren't getting sent/received as expected. Oddly, I receive them > when attempting the API call via Insomnia, but not when I use the > /token-login.php?jwt=.... from Chrome. What do you think? > > On Fri, Jun 25, 2021 at 8:20 PM Iszuddin Ismail ***@***.***> > wrote: > > > ***@***.**** commented on this gist. > > ------------------------------ > > > > I haven't tested this recently. But seeing that the plugin that you need > > to use still works, this snippet should probably still work. Let me know > if > > you need help with you setup. > > > > — > > You are receiving this because you commented. > > Reply to this email directly, view it on GitHub > > < > https://gist.github.com/b9c46c4b27bfe8461631f4c58e8f5d3d#gistcomment-3793344 > >, > > or unsubscribe > > < > https://github.com/notifications/unsubscribe-auth/ALJ2LNWOIR7QBQB6Y4I2AQLTUUMLTANCNFSM47KLPVEA > > > > . > > > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > < https://gist.github.com/b9c46c4b27bfe8461631f4c58e8f5d3d#gistcomment-3795463 >, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/AALCDQO5VY6OAPVPZQJHFMDTVB5RZANCNFSM47KLPVEA > > . > -- Regards, Iszuddin Ismail — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/b9c46c4b27bfe8461631f4c58e8f5d3d#gistcomment-3795498>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALJ2LNSLF2TSLVATPF3J5XTTVCB5TANCNFSM47KLPVEA> .

It does not work anymore, see my updated fork of this gist.

(https://stackoverflow.com/a/72310650/6336728)