DEV Community

Palomino for Logto

Posted on • Edited on • Originally published at blog.logto.io

Integrating with WordPress for Authorization

A second part of the series on integrating Logto with WordPress, focusing on authorization.


In the previous article, we discussed how to integrate Logto for authentication in WordPress. This article, as part two, will delve into the authorization process, focusing on the role system in WordPress and how to implement role mapping with Logto, given that the plugin we used in the previous article does not provide authorization capabilities directly.

We'll create a role mapping function that automatically assigns WordPress roles to users based on their roles provided by Logto RBAC (Role-Based Access Control).

Understanding WordPress user roles

WordPress has a built-in user role management system that defines what actions (capabilities) a user can perform on a site. The default user roles include Administrator, Editor, Author, Contributor, and Subscriber, each with its own set of capabilities

These roles are crucial for maintaining the security and efficiency of site operations, as they help ensure that users have appropriate access levels based on their responsibilities.

The solution: custom role mapping

Logto employs Role-Based Access Control (RBAC) as its authorization model, utilizing "scopes" as the smallest unit of permission. These scopes define the specific actions that an authenticated user is allowed to perform within an application. However, WordPress operates on a different principle for managing user permissions, relying on predefined "roles" that bundle various capabilities together.

Given this fundamental difference, we suggest creating special roles within Logto that correspond to the roles defined in WordPress. Thoes roles may not have any scopes, they are only used as a reference for mapping users to WordPress roles.

Prerequisites

Before proceeding, ensure you have the following:

  • Finish the previous article on integrating Logto with WordPress for authentication, this includes:
    • A WordPress site with administrator access.
    • A Logto account with an application set up for your WordPress site.
    • The OpenID Connect Generic plugin installed and configured on your WordPress site.
  • Setup roles in Logto that correspond to the roles in WordPress. For example, if you have an 'editor' role in WordPress, create a 'group:editors' role in Logto.

Implementing role mapping with custom code

To implement role mapping, we will add custom code to the WordPress theme's functions.php file. This involves using the wp_login action hook, which triggers when a user logs in. Here's a step-by-step guide on how to set this up:

Step 1: access your theme's functions.php

Open your themeโ€™s functions.php file. You can access this file through the WordPress admin panel by navigating to Appearance > Theme Editor and selecting functions.php from the right-hand side files list. Or in the source code, navigate to your WordPress theme directory and locate the functions.php file. This file allows you to add custom PHP functions that extend the functionality of your WordPress site.

Step 2: write the role mapping function

Below is a simple example of a function that you might add to functions.php. This function will be triggered upon user login, and it will assign roles based on the user's roles claim fetched from Logto.

function logto_handler($user_login, $user = null) {
    if (!$user) {
        $user = get_user_by('login', $user_login);
    }

    $oidc_claims = get_user_meta($user->ID, 'openid-connect-generic-last-user-claim', true);

    if (in_array('group:editors', $oidc_claims['roles'])) {
        $user->set_role('editor');
    } else {
        $user->set_role('subscriber');
    }
}

add_action('wp_login', 'logto_handler', 10, 2);
Enter fullscreen mode Exit fullscreen mode

Step 3: understanding the code and customizing it

  • logto_handler function: This function takes two parameters: $user_login (username) and $user (user object). It retrieves roles from Logto which stored in user meta as openid-connect-generic-last-user-claim, maps this role to a corresponding WordPress role, and assigns it to the user.
  • add_action: This line hooks the logto_handler function to the wp_login action, which is triggered after a user logs in. The 10 is the priority (default), and 2 indicates the number of arguments the function accepts.

The example above assigns the 'editor' role to users authenticated via Logto with role name group:editors. However, in a real-world scenario, you'll likely need to implement more kinds of role mappings.

You can find the list of WordPress roles and their capabilities here.

Step 4: test your setup

Now, let's test the role mapping function by logging in with a user that has the group:editors role in Logto. After logging in, check the user's role in WordPress to ensure that the mapping is working correctly.

Conclusion

By integrating Logto with WordPress for both authentication and authorization, you can enhance the security and functionality of your site. Remember, while the code provided here is a basic example, you might need to adapt it to fit the roles and permissions structure of your WordPress site.

Try Logto Cloud for free

Top comments (0)