This technique does create a “shadow” WP user for the external login. A lot of BuddyPress uses the WP user ID extensively, so it would take a lot more work to let external users participate in a BuddyPress site without a local user ID.

Your second question is related to the first one. Because we\’re creating a local user account and hooking `authenticate`, this code is only called if the user fails to log in locally but successfully logs in to the external auth system.

Thanks for the comment!

– David

I have some questions though. I see that you perform an update statement on the database:

// activate user and set display name appropriately
$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->users SET display_name=%s, user_status=0 WHERE ID=%d", $display_name, $new_user ) );

1. Is this necessary? I was hoping to avoid storing a 'shadow' record in WordPress as the user is already stored in the external system.
2. It looks like you are registering a new user (and activating it etc)… How does this work? A new user is registered for every login?

Thanks for the great article and keep on writing them!

-Stijn