Screenshot WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
GET DEAL
3rd Party Integration

How to Set up WP OAuth Server for Single Sign On with WordPress

Published: October 4, 2018 | Updated: November 29th, 2020
  1. Home
  2. Docs
  3. How To
  4. How to Set up WP OAuth Server for Single Sign On with WordPress

In this How-To, we will go over how to set up a client for Single Sign-On use within WordPress OAuth Server. For demonstration purposes, we will be assuming that the Single Sign-On Grant Type being used is the Authentication Code grant type.

If you are interested in seeing our example client for PHP, you can visit https://github.com/justingreerbbi/wordpress-oauth-server-clients.

Step 1 – Registering a Client

In WordPress, create a new client using the admin interface. This client will be unique to the site that the Single Sign-On will be taking place. Ensure that the Redirect URI is set correctly.

IMPORTANT: When using the Authentication Code method, the Redirect URI setting MUST be set. 

Step 2 – Creating the Workflow

You will need to build a simple client for the website that you want Single Sign-On to take place. Before you begin implanting a method, you will need to know what Grant Type you will be using for the flow of the Single Sign-On process.

For this article, we are going to use the grant type “Authentication Code”. One of the simplest ways to start the authorization process is to create a basic HTML form. This form is for the client side.

A simple example of a login form is below:

<form action="https://your-server.com/oauth/authorize?response_type=code&client_id={TestClient}&redirect_uri=
{https://redirect-uri.com/cb}" method="post">
<input type="submit" value="Log In" \>
</form>
  • You will need to replace “TestClient” with the Client ID assigned to the client you create in WordPress.
  • You will also have to change “https://redirect-uri.com/cb” value to your site’s URL where the callback script located

This form will start the authorization flow when a user clicks the “Log In” button.

Note: that the “redirect_uri” parameter may cause 403 Forbidden triggers due to the double dash (//). If your host does not allow for the redirect_uri as a valid URL, you can omit the redirect_uri parameter all together in the request. Ensure that the setting “Require Exact Redirect URI:” is unchecked under the miscellaneous settings of the OAuth Server.

Step 3 – Requesting an Access Token

After the server has authenticated the user, it will redirect the user back to the client.

For this example, we will create a simple file called cb.php. Inside the file, we will add some code to send a request to the OAuth Server to request an access token.

$client_id     = '123';
$client_secret = '123';

$curl_post_data = array(
   'grant_type'    => 'authorization_code',
   'code'          => $_GET['code'],
   'redirect_uri'  => 'http://oauth.dev',
   'client_id'     => $client_id, 
   'client_secret' => $client_secret
);

$curl = curl_init( $server_url . '/oauth/token/' );

// Uncomment if you want to use CLIENT ID AND SECRET IN THE HEADER
//curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
//curl_setopt($curl, CURLOPT_USERPWD, $client_id.':'.$client_secret); // Your credentials goes here
curl_setopt( $curl, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $curl, CURLOPT_POST, true );
curl_setopt( $curl, CURLOPT_POSTFIELDS, $curl_post_data );
curl_setopt( $curl, CURLOPT_SSL_VERIFYPEER, false );
curl_setopt( $curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB5' );
curl_setopt( $curl, CURLOPT_REFERER, 'http://www.example.com/1' );

$curl_response = curl_exec( $curl );
curl_close( $curl );
echo '<pre>';
print_r( $curl_response );
echo '</pre>';

If all goes well, the OAuth server will return an access token. The following response is an example of the return.

{
   "access_token":"2e5a2e729965f12a90cf977ad723c5533133a911",
   "expires_in":86400,
   "token_type":"Bearer",
   "scope":"basic",
  "refresh_token":"aed1d92c9b985ae1e770925497414b9d1238e41c"
}

We recommend that you store all the information returned, but it is not required. At a minimum, you should save the access_token.

Step 4 – Requesting User Info

Now that you have a valid access token, you now can make calls to the resource server on behalf of the user that has authenticated. The OAuth Server keeps track of the access tokens granted and ties them to the authenticated user.

At this point, you can call the /oauth/me/ endpoint preinstalled with WordPress OAuth Server.

$service_url = 'https://server.com/oauth/me?access_token=xxx';
$curl = curl_init($service_url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); // If the url has https and you don't want to verify source certificate

$curl_response = curl_exec($curl);
$response = json_decode($curl_response);
curl_close($curl);

var_dump($response);

The server will respond with the following information about the access token.

{"ID":"1","user_login":"admin","user_nicename":"admin","user_email":"justin@justin-greer.com","user_registered":"2015-01-01 23:15:31","user_status":"0","display_name":"admin"}

This information is what you will use as a shared login for Single Sign-On. It is up to you how you create the user flow on your client. The idea is to use the user login, and user email to login/create the users account in your client.

Icon