Title: JWT Authentication Last modified: September 17, 2018 --- # JWT Authentication * Resolved [mickepalm](https://wordpress.org/support/users/mickepalm/) * (@mickepalm) * [7 years, 8 months ago](https://wordpress.org/support/topic/jwt-authentication/) * Hi there, * I have some issues with Force Login and JWT. The Force Login locked me out and the add_filter() doesn’t work. If I turned Force Login off all is fine again. Any ideas here? * /Regards, Micke Viewing 10 replies - 1 through 10 (of 10 total) * Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/) * (@kevinvess) * [7 years, 8 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-10696123) * Hi– thanks for using Force Login! * Check out my response to an issue posted on GitHub: [https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346231810](https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346231810) * I believe this issue needs to be addressed by the _JWT Authentication_ plugin. That plugin does not pass its authentication result to the `rest_authentication_errors` filter, which core WordPress and Force Login use to check for authentication. * An alternative option, if you don’t mind the REST API being publicly accessible, is to remove the `v_forcelogin_rest_access` filter: * ``` remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 ); ``` - This reply was modified 7 years, 8 months ago by [Kevin Vess](https://wordpress.org/support/users/kevinvess/). * Thread Starter [mickepalm](https://wordpress.org/support/users/mickepalm/) * (@mickepalm) * [7 years, 8 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-10697192) * Hi Kevin, * Yes, I have already test all of this and none is working. * I think you have right with the plugin does not pass its authentication but when I debug I hit v_forcelogin_rest_access filter and if I comment out the WP_Error line all works. * The result is null and is_user_logged_in is false coz I need the tokens ID and in this moment I hasn’t login. * /Regards, Micke * Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/) * (@kevinvess) * [7 years, 8 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-10697278) * That’s correct– when you debug, a `WP_Error()` is returned when the `v_forcelogin_rest_access` filter runs because Force Login did not detect an authenticated user at that point. * However, the issue is caused by the _JWT Authentication_ plugin not passing its authentication result to the `rest_authentication_errors` filter, which core WordPress and Force Login use to check for authentication. * The JWT plugin would need to be updated to fix this issue, or you may remove the `v_forcelogin_rest_access` filter as stated above. * I recommend you contact their support forum about fixing their plugin. * Thanks, Good luck! * Thread Starter [mickepalm](https://wordpress.org/support/users/mickepalm/) * (@mickepalm) * [7 years, 8 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-10698307) * I agree there! * They doesn’t have any updated version here but I will see if I can work around it instead. I tried to remove the filter with any luck so I try this variant instead and it seems to work perfect. * add_filter( ‘rest_authentication_errors’, ‘__return_true’ ); * Thanks for the answers … * [rcwalsh](https://wordpress.org/support/users/rcwalsh/) * (@rcwalsh) * [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11321040) * [@mickepalm](https://wordpress.org/support/users/mickepalm/) Thank you! Adding` add_filter( 'rest_authentication_errors', '__return_true' );` to the bottom of auth.php in my custom version of [https://as.wordpress.org/plugins/jwt-authenticator/](https://as.wordpress.org/plugins/jwt-authenticator/) helped me use that plugin and Force Login simultaneously. * **But I’m wondering if you or [@kevinvess](https://wordpress.org/support/users/kevinvess/) can help me understand: what did I just do by adding that line? Are there any downsides or risks?** * Thanks! * Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/) * (@kevinvess) * [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11339955) * [@rcwalsh](https://wordpress.org/support/users/rcwalsh/) by adding that filter to `__return_true` you’re allowing the WP REST API to always be publicly accessible. * The only downside would be that your site content would be publicly accessible from the REST API without authentication. * Also, check out this discussion on GitHub about this issue with the _JWT Authentication_ plugin: * [https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346231810](https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346231810) * [rcwalsh](https://wordpress.org/support/users/rcwalsh/) * (@rcwalsh) * [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11340310) * Thanks for your response, [@kevinvess](https://wordpress.org/support/users/kevinvess/)! * Ideally I’d like not to expose the WP REST API, so I want to learn how to edit my custom JWT plugin to work appropriately. * The first thing I’ll try is moving `add_filter( 'rest_authentication_errors',' __return_true' );` to within the `if` statement that checks whether the JWT token was valid. * But I also see your comment here, which is different: [https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346185653](https://github.com/kevinvess/wp-force-login/issues/35#issuecomment-346185653) * Maybe you’re saying that _removing_ the filter in that same `if` would have the same effect as `__return_true`? * If you could point me in the right direction, I’d appreciate it. * Thanks for all of your amazing and generous work. * Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/) * (@kevinvess) * [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11341225) * [@rcwalsh](https://wordpress.org/support/users/rcwalsh/) * Unfortunately, this is an issue with the _JWT Authentication_ plugin. It does not pass its authentication result to the `rest_authentication_errors` filter which would be consistent with core handling. * **You’ll need to coordinate with JWT Authentication to fix this issue.** * The best advice or direction I can give on this issue has already been said; you need to have JWT pass its authentication result to the [rest_authentication_errors](https://developer.wordpress.org/reference/hooks/rest_authentication_errors/) filter. * Instead of always passing `__return_true` to the `rest_authentication_errors` filter, you could write your own function that hooks into that filter to pass the _JWT Authentication_ result. * If you do find a solution to this, please share it here in case it’s helpful to others. * Thanks, good luck! * [rcwalsh](https://wordpress.org/support/users/rcwalsh/) * (@rcwalsh) * [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11341251) * [@kevinvess](https://wordpress.org/support/users/kevinvess/) I’m not using [https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/](https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/) * I’m using something custom that I slapped together inspired by [https://as.wordpress.org/plugins/jwt-authenticator/](https://as.wordpress.org/plugins/jwt-authenticator/), which is (I think) a different thing. My assumption is that it shares the same inadequacy (ie. that “It does not pass its authentication result to the `rest_authentication_errors` filter which would be consistent with core handling.”). But that plugin hasn’t been actively developed for a long time, and so there is no support, so my new plugin inspired by it relies just on me and whatever I can figure out. * And I’m completely inexperienced with coding WordPress plugins but am excited that I’ve gotten this far. * Thanks for your advice. I’ll study what you’ve written here and plan to share whatever I figure out. * [rcwalsh](https://wordpress.org/support/users/rcwalsh/) * (@rcwalsh) * [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11350621) * I was driving myself crazy trying to figure this out. I never could figure out the ‘priority’ parameter with how WordPress loads plugins in whatever order. * So I deleted the Force Login plugin (so that it was no longer installed in the typical/official way) but then added it as a single file within my JWT plugin’s folder and then added `require_once('wp-force-login.php');` to the bottom of that custom JWT plugin. * Then in `wp-force-login.php`, I edited `v_forcelogin_rest_access` to look at ` $_SERVER['REQUEST_URI']` and allow JWT requests. Viewing 10 replies - 1 through 10 (of 10 total) The topic ‘JWT Authentication’ is closed to new replies. * ![](https://ps.w.org/wp-force-login/assets/icon.svg?rev=1904031) * [Force Login](https://wordpress.org/plugins/wp-force-login/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-force-login/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-force-login/) * [Active Topics](https://wordpress.org/support/plugin/wp-force-login/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-force-login/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-force-login/reviews/) * 10 replies * 3 participants * Last reply from: [rcwalsh](https://wordpress.org/support/users/rcwalsh/) * Last activity: [7 years, 2 months ago](https://wordpress.org/support/topic/jwt-authentication/#post-11350621) * Status: resolved