tigerstyle-scent/README.md
Ryan Malloy 1da0acd25a Initial commit: WordPress OAuth2 Server with PSR-4 architecture
- Implements complete OAuth2 authorization server for WordPress
- PSR-4 autoloading with WPOAuth2Server namespace structure
- Modular architecture with Auth, Client, Core, Storage components
- Successfully tested authorization code flow with bearer authentication
- Clean separation from WordPress plugin code for reusability
2025-09-16 20:53:00 -06:00

117 lines
3.1 KiB
Markdown

# WP OAuth2 Server
A WordPress OAuth2 authorization server implementation with PSR-4 autoloading and modular architecture.
## Overview
This is a complete OAuth2 authorization server for WordPress that transforms WordPress into an OAuth2 provider, allowing other applications to authenticate users and access WordPress resources via standard OAuth2 flows.
## Architecture
### Directory Structure
```
WPOAuth2Server/
├── Admin/ # WordPress admin interface components
├── Auth/ # Authentication mechanisms (Bearer, JWT, etc.)
├── Client/ # OAuth2 client management
├── Core/ # Core OAuth2 server implementation
├── Storage/ # Data storage adapters
└── autoloader.php # PSR-4 autoloader
```
### Key Components
- **Core/OAuth2Server.php** - Main OAuth2 server implementation
- **Core/OAuth2PoC.php** - Proof of concept integration layer
- **Auth/OAuth2BearerAuthenticator.php** - Bearer token authentication
- **Client/OAuth2ClientManager.php** - OAuth2 client management
- **Storage/** - WordPress database integration adapters
## Features
**OAuth2 Authorization Code Flow**
- Complete authorization endpoint with user consent
- Token exchange with access and refresh tokens
- PKCE support for public clients
**WordPress Integration**
- Seamless integration with WordPress authentication
- WordPress REST API authentication via Bearer tokens
- Custom post types for OAuth2 client storage
**Security Features**
- Client credential validation
- Token expiration and refresh
- Redirect URI validation
- Scope-based access control
## Usage
### PSR-4 Autoloading
```php
require_once 'autoloader.php';
use WPOAuth2Server\Core\OAuth2Server;
use WPOAuth2Server\Core\OAuth2PoC;
// Initialize OAuth2 server
$oauth2_poc = OAuth2PoC::instance();
```
### OAuth2 Endpoints
- `/oauth/authorize` - Authorization endpoint
- `/oauth/token` - Token endpoint
- `/oauth/introspect` - Token introspection
- `/oauth/revoke` - Token revocation
### Example OAuth2 Flow
1. **Authorization Request**
```
GET /oauth/authorize?response_type=code&client_id=dev-client&redirect_uri=https://example.com/callback&scope=basic&state=xyz123
```
2. **Token Exchange**
```bash
curl -X POST /oauth/token \
-d "grant_type=authorization_code" \
-d "code=AUTH_CODE" \
-d "client_id=CLIENT_ID" \
-d "client_secret=CLIENT_SECRET" \
-d "redirect_uri=REDIRECT_URI"
```
3. **API Access**
```bash
curl -H "Authorization: Bearer ACCESS_TOKEN" /wp-json/wp/v2/users/me
```
## Development
### Testing
The OAuth2 server has been successfully tested with:
- Authorization code flow
- Bearer token authentication
- WordPress REST API integration
- Client credential validation
### Requirements
- PHP 7.4+
- WordPress 5.0+
- PSR-4 autoloading support
## Security Considerations
- Client secrets should be stored securely
- HTTPS should be used in production
- Token lifetimes should be configured appropriately
- Scope permissions should be carefully managed
## License
This project is part of the WordPress OAuth2 Provider plugin.