OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers/clients and service providers. OAuth, in general, is a protocol for providing the ability to authorize a token to make authorized requests on behalf of a user without exchanging or exposing the username and or password.
OAuth 2.0 is not the same as OAuth 1.0. OAuth 2 uses the common practice of TLS/SSL connections to handle communication security whereas OAuth 1 relies on complicated signature signing and can be used over nonsecure connections.
- Resource Owner – The user
- Resource Server – WordPress
- Client – Application
- Authorization Server – WordPress
- Authorization Code – A temporary code is given to exchange for an access token.
- Access Token – A token representing the authorization for a user.
You may notice that some of the terms above represent the same thing. When it comes to OAuth 2.0 for WordPress, some systems are the same thing. For example, the Resource Server and Authorization server are the same entity. Both houses the functionality to authorize and give data.
OAuth2 Grant Types
Grant types are the means or flow in which a client is able to get authorization. There are a handful of grant types that WP OAuth Server supports.
There are multiple grant types because of the different types of client frameworks that can be used.
WP OAuth Server Endpoints
Endpoints are a specific URL that is visited to trigger a specific OAuth function. WP OAuth Server adds two main endpoints to WordPress.
WP OAuth Server supports an extra set of endpoints related to the type of extension.
- ./well-known/keys – Returns public keys
- ./well-known/openid-configuration – Returns OpenID Connect Configuration.
In Addition to the above endpoints, WP OAuth Server has a built-in resource server. The resource server can be used to design a custom REST API outside of WP REST API.
WP OAuth Server is developed utilizing WordPress’s filters and actions API. When customizing the plugin is desired, there are two ways to carry out this.
Scopes in WP OAuth Server are a bit irrelevant but are supported for custom endpoints. Scopes are intended to tell the access token what info can and can not be returned for any given authorization. According to oauth.net
Scope is a mechanism in OAuth 2.0 to limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.
Since WordPress uses standard capabilities in the REST API, the need for scopes is effectively ineffective. There are however some circumstances that scopes can help but will require custom development.
If a client is requesting user info and you only want to return email and name with the “basic” scope, then it would be a good case to restrict user data based on a scope.