Authenticate with Wordpress cookie through API from a subdomain


Staff member
I want to access the current logged in Wordpress user in a separate Laravel installation.

Wordpress is running as <em></em> and I've got a subdomain with <em></em> with the Laravel application (on another server but same domain).

I'm using the Native Wordpress API and created an authentication route.

<strong>The issue:</strong>

When I access the <em>/authenticate</em> route directly, the user ID is returned and works correctly. But when I access the route through <strong>false</strong> is returned..

<strong>Things I've got working:</strong>

I've created an API request which returns the user id in an API call:

add_action( 'rest_api_init', function () {
  register_rest_route( '/authenticate', array(
    'methods' =&gt; 'GET',
    'callback' =&gt; 'authenticate',
  ) );
} );

The function looks like this:

$user_id = wp_validate_auth_cookie( $_COOKIE[LOGGED_IN_COOKIE], 'logged_in' );

The WP cookie is available on both the sub / main domain. I can see they are identical and toplevel.

define('COOKIE_DOMAIN', '');

<strong>Things I've tried:</strong>

<li>Using wp_get_current_user() to retrieve the user, this seems to need a nonce. I experimented hours and hours with the nonce approach on many different ways, but I could not get this to work (false or 0 was returned). I understand this is due to restrictions of using a nonce from outside of Wordpress.</li>
<li>Using the default native API approach to get the user, also needs the nonce.</li>
<li>Reading the <a href="" rel="nofollow noreferrer"></a> manual, git repository &amp; several articles / comments online.</li>
<li>Thinking about the OAuth approach, but I do not want users to login again as they are already logged in when they reach the tool.</li>
<li>Sending stuff like posts etc works without problems, so the API connection is not the problem.</li>

I'm wondering if my approach is in the right direction. Hopefully someone can give me some guidance.