Yesterday I've been hacking a bit with the Windows Live ID SDK and I wrote a very small and simple plugin for WordPress that enables you to login in to WordPress with your passport Live ID.
I had read in various places that such a plugin would be welcome… I looked around and found none yet (if anyone has instead already written something like this and I missed it I will happily waste the simple stuff I did for something more advanced/well written… just let me know :-)).
I took a look at a similar experiment, and eventually even found that there is some conceptually similar plugin written to work with OpenID. The wordpress openid plugin is much more complex and much more advanced than what I did, tough. It will let you log in with just ANY OpenID user, it will automatically create a user for you on that wordpress installation and associate it with your ID, even just for the purpose of commenting, etc.
But in my blog I don't require or need people to actually log in to do anything. I actually like anonymous/free comment. A CAPTCHA takes care of spammers and I am fine with it so far. Probably for a big site with a lot of users it might make sense, but for my blog so far it doesn't. But there's one thing for which this is instead useful: I have always been worried, when logging in through HTTP (thus, without SSL) to my blog from networks I don't manage or completely trust, that my password could be sniffed over the wire and stolen. Live ID solves my problem by letting Microsoft validate my identity: I have associated my Live ID to the blog's main user account(=myself), the one writing this post. So the plugin in its current form is used as a replacement of the login form (the standard wp-login.php wordpress form CAN still be used if you like, of course, you just don't HAVE to. Also the use of xmlrpc will still require local user/pwd combination.). Anyway, this new form will authenticate you thorugh Live ID and then check if your Live ID is associated to any local user. If it is, it will log you on to wordpress with that account. Otherwise it will inform you that you are successfully logged on to passport Live, but unfortunately there is no corresponding local account for you, and that it would need to be set up. Setting it up is as difficult as adding a line to the database… probably adding a form or a property page would be nice, but in my case I just did it with a query:
INSERT INTO `wordpress`.`wp-usermeta` (
NULL , '1', 'LiveID', 'f11fa1d3e82c68776f94a3a5c459b70b'
which adds an extra "property" for the first user (admin) called 'LiveID' which contains your Live ID (the one above is not my real one, in case you were wondering). When you are authenticated by LiveID and you get back this value, the plugin checks in this table which WordPress userid in the database has been associated with this Live ID and – if it finds one – it authenticates you as that user. Of course you should not have duplicates.
My code is mostly based on the SDK PHP Sample, with some modification to integrate it in WordPress as a plugin. Of course I removed the file that is used as "user database" and used wordpress DB instead.
There's a ton of things that could be improved. I just did not put any more effort and time in it. As you might know if you read this blog, I am not a full time developer. Actually I shouldn't write code at all for work and I am mainly considered an "infrastructure" guy. Anyway, I would like to code more and even if I am not supposed to, I always try to find stimulating situations that require a bit of integration, thinking out of the box, some scripting, etc…
[updated: november 3rd 2007] You can download the sample plugin "AS-IS" here: liveauth.zip . This has only been tested and only works with WordPress 2.3.x serie (but should also work with earlier versions – not tested)
[updated: march 30th 2008] WordPress 2.5 has changed the way the authentication cookie is generated, therefore here is an updated version of the plugin that works with the new secure cookies: liveauth02.zip
I should really invest some more time in this and clear up the code. I should also make an interface to make the configuration easier, and maybe make a version that works on both 2.3 and 2.5 branches. I am not sure when I will have time for that, though…
[updated: april 20th 2008] I have released version 0.3c of the plugin which now finally includes a simple configuration page, and should work on both WordPress 2.3 (and older) and on the 2.5 brach. Please visit the new Windows Live ID Authentication WordPress Plugin Page.
The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion. All code samples are provided "AS IS" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
THIS WORK IS NOT ENDORSED AND NOT EVEN CHECKED, AUTHORIZED, SCRUTINIZED NOR APPROVED BY MY EMPLOYER, AND IT ONLY REPRESENT SOMETHING WHICH I'VE DONE IN MY FREE TIME. NO GUARANTEE WHATSOEVER IS GIVEN ON THIS. THE AUTHOR SHALL NOT BE MADE RESPONSIBLE FOR ANY DAMAGE YOU MIGHT INCUR WHEN USING THIS PROGRAM.