OpenID Authentication for WP REST API

Documentation under "How To" for WP OAuth Server


Overview

OpenID Connect adds additional parameters on the return of an access token. The return of OpenID Connect has a field called “id_token” and uses JWK to help the client authenticate the return is a valid connection to the OAuth 2.0 server. In order to follow this Step-By-Step walkthrough, you will need to have WP OAuth Server installed and activated. if you do not have the latest copy of WP OAuth Server, you can download it at https://wp-oauth.com/downloads/wp-oauth-server/.

Configuring

Visit your WordPress admin dashboard and navigate to WP OAuth Server’s setting page. On this settings tab, you will see a header that is labeled “OpenID Connect 1.0a (Global)“. Ensure that “Enable OpenID Connect” is checked and then save the settings. Refer to the image below. Enabling OpenID Connect - WP OAuth Server

Create a Client

Now it is time to create a client that we are going to use. Navigate to OAuth Server > Clients and click on “Add New Client” in the top left of the window. Add your Client information in the form and ensure that the checkbox “Authorization Code” is checked under “Allowed Grant Types“. Click “Create Client“.

Calls using OpenID Connect

Initiate a call to your WordPress’s OAuth 2.0 server using the following endpoint:

https://{yourdomain}/oauth/authorize/?response_type=code&client_id={client_id}&scope=openid

Parameters:

  • response_type – “code
  • client_id – taken from the client we created earlier.
  • scope – “openid

OpenID Connect is triggered by passing the scope of “openid” in the call. In this example, we provided the scope of “openid” with the authorization code grant type. If at any time you want to use OpenID Connect, you will simply the scope “openid”.

Verify OpenID Connect

An OpenID Connect request to WP OAuth Server will return extra parameters in the normal flow of OAuth 2.0.  An OpenID Connect request will result in WP OAuth Server returning “id_token” in the JSON response. This data will be a JSON Web Token or (JWT). A proper return for an OpenID Connect request will look something like the following.

{  
   "access_token":"ffdbq70ddllaoqqpynvu7z4vsdphhhujdma56biq",
   "expires_in":9087654,
   "token_type":"Bearer",
   "scope",
   "openid email",
   "refresh_token":"fnm8hn2jnv7mliga3zvrzwde19zenhvrpmgbpdb1",
 "id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvd29yZHByZXNzLmRldiIsInN1YiI6IjEiLCJhdWQiOiJ6WkZBcldjcFVmcTlaUXFOSU5EWUZsUWhlS2FJZnRvT3MzcFUwQ2pWIiwiaWF0IjoxNDg4ODE3MjE1LCJleHAiOjE0ODg4MjA4MTUsImF1dGhfdGltZSI6MTQ4ODgxNzIxNSwibm9uY2UiOiIxMjMxMjMiLCJlbWFpbCI6Imp1c3RpbkBqdXN0aW4tZ3JlZXIuY29tIiwiZW1haWxfdmVyaWZpZWQiOiIifQ.pOMJhHhFroaPc32X55VRxpQVvfh84c2q5YtK6f31f4jjpBwh8VT8fFPSLRzAWd5Ri2YP3AYYDl1rk7DoDosrBz2B_EOQAU4y_rIV_zFYWoYsywuZIffu1anVeYbHOetxO-rLlOUXBCTO0kBtAeKTIwBhgfFupdKsf-eyzkNoG3knMg8JZxvRrAnvNCVUHOXguZbYxpx0ShYhlGyxbtn7W7Y59K-t6HPzD4BwzmAfdONbO-MF6imQCIZh922O46oJWhYPowv-ALJrVKHv_dLg3rHBikw06DjLLuKYWOwDUmz-6W6KYcH6HbZ9bnFaWvr5fuTpi0LxwAeMZvH1zsGgGg"
}

The id_token parameter can be validated by using the server’s public key. A private and public key is generated when WP OAuth Server is installed. The Auto Discovery feature in WP OAuth Server allows for auto-discovery by visiting https://{yourdomain}/.well-known/openid-configuration/.