Adds Authentication through OAuth 2. Provides the ability for Single Sign On for websites & Mobile Applications.
Connect your app to WordPress or use SSO to connect multiple websites with the same username and passwords. No 3rd party servers are needed with WP OAuth Server. Everything you need is in this plugin.
Features
WP REST API Authentication. Provides ability to make authorized calls to protected REST API endpoints.
WP REST API Lock Down. Prevent any calls to the REST API unless authorized
Unlimited OAuth 2.0 Clients
Support for Implicit Flow
Built-In Resource Server
Automated Authorization Flow (User does not have to see authorization screen)
Easily Extend/ Modify the Endpoints
OAuth 2.0 PKCE
Modern and Legacy JWT authorization support. OAuth 2.0 JSON Web Token Support
Supported Grant Types
Authentication Code w/Implicit
User Credentials (Pro)
Client Credentials (Pro)
Refresh Token (Pro)
OpenID Connect (Pro)
OpenID Discovery
Public Clients (Pro)
Public Client Proof of Key Exchange (PKCE)
Supports
Connecting any Custom Mobile and Desktop Application to WordPress’s Backend.
Any software or web platform utilizing OAuth 2.0.
Allows RocketChat to use WordPress as a Backend.
Connects Moodle LMS and use WordPress users.
Alexa Skills Authentication
Tribe.so Community OAuth 2 SSO Support
How to Use
Visit https://wp-oauth.com/support/documentation/ for detailed documentation on installing, configuring and using WordPress OAuth Server.
Licensing
WP OAuth Server is free to use. Please support the project by licensing. You can view more information at https://wp-oauth.com.
Minimum Requirements
PHP 5.6.4 or greater (latest version recommended)
OpenSSL installed and enabled if you plan on using OpenID Connect
Other Information
NOTE: As of 3.0.0, there are no backward compatibility for any version older than 3.0.0
NOTE: Due to IIS’s inability play nice, WP OAuth Server may work but is very limited for Windows OS.
Support
Support requests should be made by opening a support request at https://wp-oauth.com/support/submit-ticket/.
Installation
Upload oauth-provider to the /wp-content/plugins/ directory or use the built in plugin install by WordPress
Activate the plugin through the ‘Plugins’ menu in WordPress
Click ‘Settings’ and then ‘permalinks’. Then simply click ‘Save Changes’ to flush the rewrite rules so that OAuth2 Provider
You’re Ready to Rock
FAQ
Do I need OAuth2 or App Passwords?
This depends. If you project requires random users access an application, then OAuth2 is the route you need. If you are making a server that handles a one time client id and secert for authorization, then Application Passwords is for you.
How do I add a APP/Client?
Click on Settings->OAuth Server. Click on the Clients tab and then Add New Client. Enter the client information and your are done.
Does WordPress OAuth Server Support SSO (Single Sign On)
Yes, WordPress OAuth Server does support Single Sign On for both Traditional OAuth2 Flow and OpenID Connect.
Is there support for this plugin? Can you help me?
You can visit our https://wp-oauth.com/support/submit-ticket/ to open up a support request directly with developers.
Can you set this up for me on my current website?
DRINKS COFFEE * Can I? “YES”. You are more than welcome to contact us with if you should ever need assistance.
How do I use WordPress OAuth Server?
You can visit https://wp-oauth.com/support/documentation/. You will find in-depth documentation as well as examples of how to get started.
Changelog
4.4.0
(Security Update) Refactored the “destroy” endpoint to remove the auto redirect in favor for a manual checkpoint.
Cleaned up misc functions. This should not effect any exsisting implementations.
Tested with 6.4 installed.
4.3.4
Updated to fix deprecated messages for PHP 8.1 and WP 6.2
Added prepare statements in CRON cleanup
Adjustments to make some options more clear.
4.3.3
Updated wpoauth_authenicate_bypass to return false.
Tested with WP 6.2
4.2.5
Updated sanity checks in AJAX
4.2.3
Tested WP 6.0.3
4.2.2
Refactored codebase with PHPCS and PHPCBF WordPress Standards
Security updates to data handling.
General cleanup of unneeded functionality
4.2.0
Updated/fixed subdirectory issues during Authorization Code Grant Type requests. (duplicate subdirectory issue)
PHP 8 Compatibility Check
4.1.8
Updated ME method to now return user roles by default with an Oauth 2.0 access token
Tested with WordPress version 5.8 and PHP 8. All Test Passed.
4.1.7
Updated S256 code challenge method logic for OAuth 2.0 PKCE
Fixed issue with headers during initial activation by moving db update to admin_init hook after any activation.
4.1.6
User info mapping options added. Custom map user data points easily in the editor.
Role based restriction logic has been added with filter use.
4.1.5
Added new DB version check to ensure DB upgrades are triggered as needed
4.1.4
Patched security concern with file include
4.1.3
Fixed SQL syntax on normal plugin activation
4.1.2
Table update and install fixed for code challenge
Full support for PKCE has been added.
4.1.1
Refactored base code to reconcile to 4.1.1
Improvements include typeahead.js, JWT support, PKCE support (Proof Key of Code Exchange)
3.8.2
Fixed client table listing bug that displayed user generated clients
3.8.1
Function name updates to adhere to best practices
Added sanitation for inputs
Cleaned up unneeded files
Removed plugin core validation checks as they are redundant and not needed.
3.8.0
Updated broken links and added documentation
Tested with the latest version of WordPress
3.7.92
Added sub directory fix to options.
Synced Main Options with Pro Version.
3.7.91
Changed content in the admin of plugin to reflect changes on support site.
3.7.9
Removed UNIQUE INDEX from access token to allow for longer JWT.
ADDED: Check for required DB upgrade.
ADDED: Hooks check
3.7.8
ADDED: Hooks file check
UPDATED: MD5 Hash
FIXED: Version Headers
3.7.7
ADDED: Added more discovery to the discovery endpoint.
3.7.6
FIXED: Although not used the community version, there was a bug in the Server controller for a missing grant type.
3.7.5
ADDED: Defines DOING_OAUTH for easier hooks
ADDED: Select2 for client management
3.7.1
FIXED: Implicit Method (invalid grant type issues)
UPDATED: Storage method
Tested with WP 5.1
3.6.0
UPDATED: OAuth2 namespace changed to WPOauth2 for better compatibility
FIXED: Bug in API authorization block functionality
FIXED: Default scope of basic was not being imitated correctly
UPDATED: Formatting updates
3.5.9
Fixed possible conflict with CSS in admin that prevented buttons from working or displaying
Content updates
3.5.8
NEW: Hourly cleanup of expired access tokens and auth codes.
3.5.7
TESTED: With new security release
3.4.6
UPDATE: Code for 7.2 stricter standards.
UPDATE: Updated admin UI for better experience in settings.
FIX: Admin Notice Fix for settings.
NEW: Added feature to disable entire REST API from non authenticated users.
NEW: Live chat support added to backend of plugin.
3.4.5
UPDATE: Database are not set to 191 char limits for unique to provide better backward compatibility.
FIX: Bug fix in refresh token expire time.
3.4.4
NEW: Added filter wo_get_access_token_expires_return to the getAccessToken storage method.
UPDATE: Client type public setting has been updated.
UPDATE: Destroy endpoint. Now does not require two separate methods for different outcomes.
3.4.3
ENHANCEMENT: UX while editing clients
UPDATE: Base code updates
UPDATE: /oauth/destroy/ endpoint was modified to handle OpenID Session Management
UPDATED: /oauth/me/ to return proper OpenID required fields when scope “openid” was used to authorize the access access token
NEW: Added “wpo_well_known_openid_configuration” filter for OpenID Connect .well-known configuration
FIXED: Consent Prompt redirect issues.
UPDATED: Private & Public Key handling on activation.
NEW: Added single function for Server certificates locations.
3.4.3
FIXED: OpenID well-known key bug for PHP namespace has been fixed.
3.4.2
FIX: License error using older PHP version
FIX: Clash with thickbox in admin area
3.4.1
NEW: Added prompt parameter support for “login”, “consent”, and “none”
NEW: Added User consent window for Authorization code flow.
NEW: Added filter “wo_use_grant_request” to enable user consent dialog. Boolean.
3.4.0
NEW: Basic support for Token Introspection. RFC 7662 ( https://tools.ietf.org/html/rfc7662 )
ENHANCEMENT: Start of framework for add ons.
FIX: Bug in a token being delivered even with invalid client credentials.
FIX: Proper return from resource server during invalid request.
3.3.81 – MAY 1ST, 2017
ENHANCEMENT: current_time( ‘timestamp’ ) used in favor of time(). This allows for time to follow WP setting
ENHANCEMENT: Native tabs in admin.
ENHANCEMENT: “wo_updater” filter added to allow plugin updater control.
FIX: Bug in redirect URI during authentication code flow. Now uses home_url()
FIX: Bug that allowed for client ID’s to be search able.
3.3.8
Added public function “wo_public_insert_client” for adding clients.
Deprecated “wo_get_access_token” in favor of “wo_public_get_access_token”