# WP OAuth2 Server A WordPress OAuth2 authorization server implementation with PSR-4 autoloading and modular architecture. ## Overview This is a complete OAuth2 authorization server for WordPress that transforms WordPress into an OAuth2 provider, allowing other applications to authenticate users and access WordPress resources via standard OAuth2 flows. ## Architecture ### Directory Structure ``` WPOAuth2Server/ ├── Admin/ # WordPress admin interface components ├── Auth/ # Authentication mechanisms (Bearer, JWT, etc.) ├── Client/ # OAuth2 client management ├── Core/ # Core OAuth2 server implementation ├── Storage/ # Data storage adapters └── autoloader.php # PSR-4 autoloader ``` ### Key Components - **Core/OAuth2Server.php** - Main OAuth2 server implementation - **Core/OAuth2PoC.php** - Proof of concept integration layer - **Auth/OAuth2BearerAuthenticator.php** - Bearer token authentication - **Client/OAuth2ClientManager.php** - OAuth2 client management - **Storage/** - WordPress database integration adapters ## Features ✅ **OAuth2 Authorization Code Flow** - Complete authorization endpoint with user consent - Token exchange with access and refresh tokens - PKCE support for public clients ✅ **WordPress Integration** - Seamless integration with WordPress authentication - WordPress REST API authentication via Bearer tokens - Custom post types for OAuth2 client storage ✅ **Security Features** - Client credential validation - Token expiration and refresh - Redirect URI validation - Scope-based access control ## Usage ### PSR-4 Autoloading ```php require_once 'autoloader.php'; use WPOAuth2Server\Core\OAuth2Server; use WPOAuth2Server\Core\OAuth2PoC; // Initialize OAuth2 server $oauth2_poc = OAuth2PoC::instance(); ``` ### OAuth2 Endpoints - `/oauth/authorize` - Authorization endpoint - `/oauth/token` - Token endpoint - `/oauth/introspect` - Token introspection - `/oauth/revoke` - Token revocation ### Example OAuth2 Flow 1. **Authorization Request** ``` GET /oauth/authorize?response_type=code&client_id=dev-client&redirect_uri=https://example.com/callback&scope=basic&state=xyz123 ``` 2. **Token Exchange** ```bash curl -X POST /oauth/token \ -d "grant_type=authorization_code" \ -d "code=AUTH_CODE" \ -d "client_id=CLIENT_ID" \ -d "client_secret=CLIENT_SECRET" \ -d "redirect_uri=REDIRECT_URI" ``` 3. **API Access** ```bash curl -H "Authorization: Bearer ACCESS_TOKEN" /wp-json/wp/v2/users/me ``` ## Development ### Testing The OAuth2 server has been successfully tested with: - Authorization code flow - Bearer token authentication - WordPress REST API integration - Client credential validation ### Requirements - PHP 7.4+ - WordPress 5.0+ - PSR-4 autoloading support ## Security Considerations - Client secrets should be stored securely - HTTPS should be used in production - Token lifetimes should be configured appropriately - Scope permissions should be carefully managed ## License This project is part of the WordPress OAuth2 Provider plugin.