WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
Overview
OpenID Connect adds additional parameters on the return of an access token. The return of OpenID Connect has a field called “id_token” and uses JWK to help the client authenticate the return is a valid connection to the OAuth 2.0 server. In order to follow this Step-By-Step walkthrough, you will need to have WP OAuth Server installed and activated. if you do not have the latest copy of WP OAuth Server, you can download it at https://wp-oauth.com/downloads/wp-oauth-server/.
Before you begin
This method of OpenID uses the grant type “Authorization Code”. OpenID can also be accomplished by using the “Implicit” grant type which will return the “id_token” parameter to the client in the URL instead of have to use the code to authenticate. This article does not cover the “implicit” method and assumes “authorization code” or “code” is being used for the OpenID request.
Configuring
Visit your WordPress admin dashboard and navigate to WP OAuth Server’s setting page. On this settings tab, you will see a header that is labeled “OpenID Connect 1.0a (Global)“. Ensure that “Enable OpenID Connect” is checked and then save the settings. Refer to the image below. 
Create a Client
Now it is time to create a client that we are going to use. Navigate to OAuth Server > Clients and click on “Add New Client” in the top left of the window. Add your Client information in the form and ensure that the checkbox “Authorization Code” is checked under “Allowed Grant Types“. Click “Create Client“. 
Calls using OpenID Connect
Initiate a call to your WordPress’s OAuth 2.0 server using the following endpoint:
https://{yourdomain}/oauth/authorize/?response_type=code&client_id={client_id}&scope=openid
Parameters:
- response_type – “code“
- client_id – taken from the client we created earlier.
- scope – “openid“
OpenID Connect is triggered by passing the scope of “openid” in the call. In this example, we provided the scope of “openid” with the authorization code grant type. If at any time you want to use OpenID Connect, you will simply the scope “openid”.
Verify OpenID Connect
An OpenID Connect request to WP OAuth Server will return extra parameters in the normal flow of OAuth 2.0. An OpenID Connect request will result in WP OAuth Server returning “id_token” in the JSON response. This data will be a JSON Web Token or (JWT). A proper return for an OpenID Connect request will look something like the following.
{
"access_token":"ffdbq70ddllaoqqpynvu7z4vsdphhhujdma56biq",
"expires_in":9087654,
"token_type":"Bearer",
"scope",
"openid email",
"refresh_token":"fnm8hn2jnv7mliga3zvrzwde19zenhvrpmgbpdb1",
"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvd29yZHByZXNzLmRldiIsInN1YiI6IjEiLCJhdWQiOiJ6WkZBcldjcFVmcTlaUXFOSU5EWUZsUWhlS2FJZnRvT3MzcFUwQ2pWIiwiaWF0IjoxNDg4ODE3MjE1LCJleHAiOjE0ODg4MjA4MTUsImF1dGhfdGltZSI6MTQ4ODgxNzIxNSwibm9uY2UiOiIxMjMxMjMiLCJlbWFpbCI6Imp1c3RpbkBqdXN0aW4tZ3JlZXIuY29tIiwiZW1haWxfdmVyaWZpZWQiOiIifQ.pOMJhHhFroaPc32X55VRxpQVvfh84c2q5YtK6f31f4jjpBwh8VT8fFPSLRzAWd5Ri2YP3AYYDl1rk7DoDosrBz2B_EOQAU4y_rIV_zFYWoYsywuZIffu1anVeYbHOetxO-rLlOUXBCTO0kBtAeKTIwBhgfFupdKsf-eyzkNoG3knMg8JZxvRrAnvNCVUHOXguZbYxpx0ShYhlGyxbtn7W7Y59K-t6HPzD4BwzmAfdONbO-MF6imQCIZh922O46oJWhYPowv-ALJrVKHv_dLg3rHBikw06DjLLuKYWOwDUmz-6W6KYcH6HbZ9bnFaWvr5fuTpi0LxwAeMZvH1zsGgGg"
}
The “id_token” parameter can be validated by using the server’s public key. A private and public key is generated when WP OAuth Server is installed. The Auto Discovery feature in WP OAuth Server allows for auto-discovery by visiting https://{yourdomain}/.well-known/openid-configuration/.
