- Implements complete OAuth2 authorization server for WordPress - PSR-4 autoloading with WPOAuth2Server namespace structure - Modular architecture with Auth, Client, Core, Storage components - Successfully tested authorization code flow with bearer authentication - Clean separation from WordPress plugin code for reusability
117 lines
3.1 KiB
Markdown
117 lines
3.1 KiB
Markdown
# WP OAuth2 Server
|
|
|
|
A WordPress OAuth2 authorization server implementation with PSR-4 autoloading and modular architecture.
|
|
|
|
## Overview
|
|
|
|
This is a complete OAuth2 authorization server for WordPress that transforms WordPress into an OAuth2 provider, allowing other applications to authenticate users and access WordPress resources via standard OAuth2 flows.
|
|
|
|
## Architecture
|
|
|
|
### Directory Structure
|
|
|
|
```
|
|
WPOAuth2Server/
|
|
├── Admin/ # WordPress admin interface components
|
|
├── Auth/ # Authentication mechanisms (Bearer, JWT, etc.)
|
|
├── Client/ # OAuth2 client management
|
|
├── Core/ # Core OAuth2 server implementation
|
|
├── Storage/ # Data storage adapters
|
|
└── autoloader.php # PSR-4 autoloader
|
|
```
|
|
|
|
### Key Components
|
|
|
|
- **Core/OAuth2Server.php** - Main OAuth2 server implementation
|
|
- **Core/OAuth2PoC.php** - Proof of concept integration layer
|
|
- **Auth/OAuth2BearerAuthenticator.php** - Bearer token authentication
|
|
- **Client/OAuth2ClientManager.php** - OAuth2 client management
|
|
- **Storage/** - WordPress database integration adapters
|
|
|
|
## Features
|
|
|
|
✅ **OAuth2 Authorization Code Flow**
|
|
- Complete authorization endpoint with user consent
|
|
- Token exchange with access and refresh tokens
|
|
- PKCE support for public clients
|
|
|
|
✅ **WordPress Integration**
|
|
- Seamless integration with WordPress authentication
|
|
- WordPress REST API authentication via Bearer tokens
|
|
- Custom post types for OAuth2 client storage
|
|
|
|
✅ **Security Features**
|
|
- Client credential validation
|
|
- Token expiration and refresh
|
|
- Redirect URI validation
|
|
- Scope-based access control
|
|
|
|
## Usage
|
|
|
|
### PSR-4 Autoloading
|
|
|
|
```php
|
|
require_once 'autoloader.php';
|
|
|
|
use WPOAuth2Server\Core\OAuth2Server;
|
|
use WPOAuth2Server\Core\OAuth2PoC;
|
|
|
|
// Initialize OAuth2 server
|
|
$oauth2_poc = OAuth2PoC::instance();
|
|
```
|
|
|
|
### OAuth2 Endpoints
|
|
|
|
- `/oauth/authorize` - Authorization endpoint
|
|
- `/oauth/token` - Token endpoint
|
|
- `/oauth/introspect` - Token introspection
|
|
- `/oauth/revoke` - Token revocation
|
|
|
|
### Example OAuth2 Flow
|
|
|
|
1. **Authorization Request**
|
|
```
|
|
GET /oauth/authorize?response_type=code&client_id=dev-client&redirect_uri=https://example.com/callback&scope=basic&state=xyz123
|
|
```
|
|
|
|
2. **Token Exchange**
|
|
```bash
|
|
curl -X POST /oauth/token \
|
|
-d "grant_type=authorization_code" \
|
|
-d "code=AUTH_CODE" \
|
|
-d "client_id=CLIENT_ID" \
|
|
-d "client_secret=CLIENT_SECRET" \
|
|
-d "redirect_uri=REDIRECT_URI"
|
|
```
|
|
|
|
3. **API Access**
|
|
```bash
|
|
curl -H "Authorization: Bearer ACCESS_TOKEN" /wp-json/wp/v2/users/me
|
|
```
|
|
|
|
## Development
|
|
|
|
### Testing
|
|
|
|
The OAuth2 server has been successfully tested with:
|
|
- Authorization code flow
|
|
- Bearer token authentication
|
|
- WordPress REST API integration
|
|
- Client credential validation
|
|
|
|
### Requirements
|
|
|
|
- PHP 7.4+
|
|
- WordPress 5.0+
|
|
- PSR-4 autoloading support
|
|
|
|
## Security Considerations
|
|
|
|
- Client secrets should be stored securely
|
|
- HTTPS should be used in production
|
|
- Token lifetimes should be configured appropriately
|
|
- Scope permissions should be carefully managed
|
|
|
|
## License
|
|
|
|
This project is part of the WordPress OAuth2 Provider plugin. |