Setup WP OAuth Server for Single Sign On with WordPress

Documentation under "How To" for WP OAuth Server


In this How-To, we will go over how to set up a client for Single Sign-On use within WordPress OAuth Server. For demonstration purposes, we will be assuming that the Single Sign-On Grant Type being used is the Authentication Code grant type. If you are interested in seeing our example client for PHP, you can visit https://github.com/justingreerbbi/wordpress-oauth-server-clients.

Step 1

Create a consumer/client using the admin interface. This client will be unique to the site that the Single Sign-On will be taking place. Ensure that the Redirect URI is set correctly. IMPORTANT: When using the Authentication Code method, the Redirect URI setting MUST be set. 

Step 2

You will need to build a simple client for the website that you want Single Sign-On to take place. Before you begin implanting a method, you will need to know what Grant Type you will be using for the flow of the Single Sign-On process. This demonstration we are using Authentication Code due to the popularity and simplicity. One of the simplest ways to start the authorization process is to create a basic HTML form. An example of a login button is below:

<form action="https://your-server.com/oauth/authorize?response_type=code&client_id=TestClient&redirect_uri=https://redirect-uri.com/cb" method="post">
<input type="submit" value="Log In" \>
</form>

You will need to replace “TestClient” with the Client ID assigned to the consumer you created in Step 1. You will also have to change “https://redirect-uri.com/cb” value to your site’s URL where the callback script located (explained in Step 3). This form will start the authorization flow when a user clicks the “Log In” button. Note: that the “redirect_uri” parameter may cause 403 Forbidden triggers due to the double dash (//). If your host does not allow for the redirect_uri as a valid URL, you can emit the redirect_uri parameter all together in the request. Ensure that the setting “Require Exact Redirect URI:” is unchecked under the miscellaneous settings of the OAuth Server.

Step 3

After the server has authenticated the user, it will redirect the user back to the redirect_uri parameter assigned to it in Step 1. To handle the users return to your site, there will need to be a simple script to process the request. For this example, we will create a simple file called cb.php. Inside the cb.php file, we will add some code to send a request to the OAuth Server using the code provided by in the URL.

$client_id     = '123';
$client_secret = '123';

$curl_post_data = array(
   'grant_type'    => 'authorization_code',
   'code'          => $_GET['code'],
   'redirect_uri'  => 'http://oauth.dev',
   'client_id'     => $client_id, // Only needed if server is running CGI
   'client_secret' => $client_secret // Only need if server is running CGI
);

$curl = curl_init( $server_url . '/oauth/token/' );

// Uncomment if you want to use CLIENTID AND SECRET IN THE HEADER
//curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
//curl_setopt($curl, CURLOPT_USERPWD, $client_id.':'.$client_secret); // Your credentials goes here
curl_setopt( $curl, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $curl, CURLOPT_POST, true );
curl_setopt( $curl, CURLOPT_POSTFIELDS, $curl_post_data );
curl_setopt( $curl, CURLOPT_SSL_VERIFYPEER, false );
curl_setopt( $curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB5' );
curl_setopt( $curl, CURLOPT_REFERER, 'http://www.example.com/1' );

$curl_response = curl_exec( $curl );
curl_close( $curl );
echo '<pre>';
print_r( $curl_response );
echo '</pre>';

If all goes well, the OAuth server will return an access token. The following response is an example of the return.

{
   "access_token":"2e5a2e729965f12a90cf977ad723c5533133a911",
   "expires_in":86400,
   "token_type":"Bearer",
   "scope":"basic",
   "refresh_token":"aed1d92c9b985ae1e770925497414b9d1238e41c"
}

We recommend that you store all the information returned, but it is not required. At a minimum, you should save the access_token.

Step 4

Now that you have a valid access token, you now can make calls to the resource server on behalf of the user that has authenticated. The OAuth Server keeps track of the access tokens granted and ties them to the authenticated user. At this point, you can call the /oauth/me/ method pre-installed with WordPress OAuth Server to retrieve the user information. This is accomplished by using another function. An example is below.

$service_url = 'https://server.com/oauth/me?access_token=xxx';
$curl = curl_init($service_url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); // If the url has https and you don't want to verify source certificate

$curl_response = curl_exec($curl);
$response = json_decode($curl_response);
curl_close($curl);

var_dump($response);

The server will respond with the following information about the access token.

{"ID":"1","user_login":"admin","user_nicename":"admin","user_email":"justin@justin-greer.com","user_registered":"2015-01-01 23:15:31","user_status":"0","display_name":"admin"}

This information is what you will use as a shared login for Single Sign-On. It is up to you how you create the user flow on your client. The idea is to use the user login, and user email to login/create the users account in your client.