SSO - redirecting to forum and maintaining login status when logging in after registration

(Nick Putman) #1

I have SSO working using the wp-discourse plugin. It works well for already registered WordPress users, but not for those registering for the first time. When they login, after confirming their registration and logging in, they are redirected to wp-admin.php. I have installed the ‘Redirect After Login’ plugin, which at least then redirects them to my Wordpress home page, but it won’t redirect to discourse, and even if it could, these new users would not automatically be logged in, and would need to click ‘Login’ again on discourse to engage the SSO and finally be logged in to discourse.

Obviously I’d like to make the login process for new users as seamless as possible, so would be glad of any advice as to whether it’s possible to do so.

(Nick Putman) #2

I’ve done some more research on this, and I’ve added a function to functions.php which redirects all non admin users to the discourse forum when logging in, but I am still looking for a way to set the discourse login status automatically, as the kind of users who will be coming to my site will need everything as simple as possible, so logging in twice will be confusing. Anyway, here’s the redirect script:

function my_allowed_redirect_hosts($content){
    $content[] = ''; // Do not add http://

    return $content;
add_filter( 'allowed_redirect_hosts' , 'my_allowed_redirect_hosts' , 10 );

function acme_login_redirect($redirect_to, $requested_redirect_to, $user) {
    if (is_array($user->roles) && in_array('administrator', $user->roles)) {
        return admin_url();
        return '';
add_filter( 'login_redirect', 'acme_login_redirect', 10, 3 );

(Nick) #3

I had faced the same issue and solved it by storing the redirect_to argument passed to the Wordpress login form in a cookie and then recovering this value and redirecting to the saved URL after the registration. This piece of code does it for me:

 * We have to do it in the 'wp_login_errors' filter since it's the only place I've found to hook into the login
 * form _before_ HTTP headers are sent. Any cookies have to be set before the headers are sent.
add_filter( 'wp_login_errors', 'save_redirect_to_in_cookie' );

function save_redirect_to_in_cookie( $unused_but_required_arg ) {

	if ( ! empty( $_REQUEST['redirect_to'] ) ) {
		setcookie( 'wp-login-redirect-to', $_REQUEST['redirect_to'], time() + 1 * DAY_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true );

	return $unused_but_required_arg;

 * Filter the login redirect URL.
 * @param string $redirect_to The redirect destination URL.
 * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
 * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise.
add_filter( 'login_redirect', 'redirect_to_url_saved_in_cookie_if_logged_in', 10, 3 );

function redirect_to_url_saved_in_cookie_if_logged_in( $redirect_to, $requested_redirect_to, $user ) {

	if ( isset( $_COOKIE['wp-login-redirect-to'] ) && ! is_wp_error( $user ) ) {

		$redirect_to = $_COOKIE['wp-login-redirect-to'];
		setcookie( 'wp-login-redirect-to', '', time() - 1 * DAY_IN_SECONDS ); // delete by expiring

	return $redirect_to;

(Nick Putman) #4

Thanks very much Nick. Have added that function and it is working a treat for those who sign up via my social plugin. For users who register via Wordpress, using their email address, I am not so sure, but there’s another issue I need to fix first before I can check this properly. For some reason Wordpress is emailing all new users a ‘click to reset’ link, instead of emailing their password to them. Is this standard behaviour, because I thought they should be emailed their password? The current process generates a password reset email to admin, and is I think breaking the redirect function.

Can you advise on this at all?

Also, as your script sets cookies, I am presuming I need to install a cookie banner plugin to my site, to remain legal. Correct?

(Nick) #5

I believe it’s the new standard behavior. It was introduced somewhat recently, in a 4.x version of Wordpress.

It shouldn’t. I just verified it again on my site, and the forum sign-up/login is working fine, even with the password reset via email.

As you can see in the code I posted, we are saving the redirect URL in a cookie and then using it the first time the user logs in – no matter what the user does between the initial visit to the login form and the actual login.

Perhaps some other plugin or piece of code is interfering with this in your installation?

(Nick Putman) #6

Thanks again. I just happened to be testing again as you wrote, and it now seems to be working fine. So perhaps there was a plugin or some code interfering and I have made some changes in the last 24 hours which made the difference. Hooray for inadvertently fixing something!

It’s still a somewhat cumbersome process when signing up via a WP account:

  • Click login on discourse forum
  • WP Login form - click to register
  • WP Registration form - enter details and click register
  • Receive email - Click to set password
  • Enter your new password - click ‘reset password’
  • WP Log in form again - enter new details - click ‘login’ and redirected to forum

Can you think of any way of streaming this further?

(Nick) #7

I had thought about logging the users in automatically after they had reset their password (instead of redirecting them to the login form again) but decided that I wasn’t sure that it was worth the effort.

What are your thoughts on this?

One other change I’ve made is I removed the Username field from the registration form, leaving only email in there.