The code simply returns a JSON encoded array. This array contains a ‘result’ element, which is a boolean, holding whether the user is valid or not. This service only support one user with the following credentials:
Now let’s go through some of this code:
The remove_action line is of particular importance. If that line exists WordPress will only authenticate based on the external service. If that line were to be commented out WordPress would fall back on the local user table for authentication if external authentication fails.
WordPress contains several additional hooks that may be important to know about in your situation:
In this demo we checked to see if a user exists in WordPress based on the email supplied by the authentication provider, but what happens if that user were to change their email address on the provider’s side? Suddenly they would lose all their information stored in the WordPress site, which could include access to all posts and settings. Make sure that whatever method you chose makes sense for your audience and usage patterns. Bad things happen when users think their data has been lost…