Ryan Malloy
1da0acd25a
- Implements complete OAuth2 authorization server for WordPress - PSR-4 autoloading with WPOAuth2Server namespace structure - Modular architecture with Auth, Client, Core, Storage components - Successfully tested authorization code flow with bearer authentication - Clean separation from WordPress plugin code for reusability
WP OAuth2 Server
A WordPress OAuth2 authorization server implementation with PSR-4 autoloading and modular architecture.
Overview
This is a complete OAuth2 authorization server for WordPress that transforms WordPress into an OAuth2 provider, allowing other applications to authenticate users and access WordPress resources via standard OAuth2 flows.
Architecture
Directory Structure
WPOAuth2Server/
├── Admin/ # WordPress admin interface components
├── Auth/ # Authentication mechanisms (Bearer, JWT, etc.)
├── Client/ # OAuth2 client management
├── Core/ # Core OAuth2 server implementation
├── Storage/ # Data storage adapters
└── autoloader.php # PSR-4 autoloader
Key Components
- Core/OAuth2Server.php - Main OAuth2 server implementation
- Core/OAuth2PoC.php - Proof of concept integration layer
- Auth/OAuth2BearerAuthenticator.php - Bearer token authentication
- Client/OAuth2ClientManager.php - OAuth2 client management
- Storage/ - WordPress database integration adapters
Features
✅ OAuth2 Authorization Code Flow
- Complete authorization endpoint with user consent
- Token exchange with access and refresh tokens
- PKCE support for public clients
✅ WordPress Integration
- Seamless integration with WordPress authentication
- WordPress REST API authentication via Bearer tokens
- Custom post types for OAuth2 client storage
✅ Security Features
- Client credential validation
- Token expiration and refresh
- Redirect URI validation
- Scope-based access control
Usage
PSR-4 Autoloading
require_once 'autoloader.php';
use WPOAuth2Server\Core\OAuth2Server;
use WPOAuth2Server\Core\OAuth2PoC;
// Initialize OAuth2 server
$oauth2_poc = OAuth2PoC::instance();
OAuth2 Endpoints
/oauth/authorize- Authorization endpoint/oauth/token- Token endpoint/oauth/introspect- Token introspection/oauth/revoke- Token revocation
Example OAuth2 Flow
-
Authorization Request
GET /oauth/authorize?response_type=code&client_id=dev-client&redirect_uri=https://example.com/callback&scope=basic&state=xyz123 -
Token Exchange
curl -X POST /oauth/token \ -d "grant_type=authorization_code" \ -d "code=AUTH_CODE" \ -d "client_id=CLIENT_ID" \ -d "client_secret=CLIENT_SECRET" \ -d "redirect_uri=REDIRECT_URI" -
API Access
curl -H "Authorization: Bearer ACCESS_TOKEN" /wp-json/wp/v2/users/me
Development
Testing
The OAuth2 server has been successfully tested with:
- Authorization code flow
- Bearer token authentication
- WordPress REST API integration
- Client credential validation
Requirements
- PHP 7.4+
- WordPress 5.0+
- PSR-4 autoloading support
Security Considerations
- Client secrets should be stored securely
- HTTPS should be used in production
- Token lifetimes should be configured appropriately
- Scope permissions should be carefully managed
License
This project is part of the WordPress OAuth2 Provider plugin.