Are you looking to add login into mobile app using WordPress credentials? miniOrange OAuth 2.0 Server/Provider is the solution for you! SSO or Single Sign-On has been in use by enterprises for more than a decade now. It has been quite popular for web-based applications, but for mobile applications; SSO has been an intricate task. New technologies and notions are using OAuth 2.0 flow; which allows users to do mobile application SSO seamlessly. A few ways to achieve this are discussed below.

Download And Installation

• Log into your WordPress instance as an admin.
• Go to the WordPress Dashboard -> Plugins and click on Add New.
• Search for a WordPress OAuth Server Single Sign-On (SSO) plugin and click on Install Now.
• Once installed click on Activate.

Below are the grant types with which the Mobile SSO can be achieved

1. Authorization Code Grant with PKCE Flow

PKCE or Proof Key for Code Exchange is a security extension of OAuth 2.0 for mobile applications Single Sign-On (SSO )using WordPress Server. It is intended to avoid compromising the client_secret. The flow uses two parameters, the code verifier and the code challenge instead of the client secret.

The detailed flow of PKCE is described below:



• The code verifier and code challenge are generated initially before sending an authorization request.
• An authorization request is then formed with response_type, client_id, client_secret, redirect_uri, code_challenge, and code_challenge_method as required parameters and state and scope as optional parameters.
• The authorization response is received with an authorization code after the user has logged in and is then redirected to the redirect_uri provided.
• The authorization code and code_verifier are sent to the token endpoint as an access token request.
• The code_verifier is then transformed using the code_challenge_method to verify the results against the code_challenge. If they match, the access token request is verified and the access token is received in the response.
• The user information later can be retrieved using the id token or the user info endpoint.

The aforementioned flow requires the user to be redirected to your WordPress site. So, it can be done in 2 ways, either you can open a webview inside your mobile app, or redirect users to the browser application.

2. Resource Owner Password Grant Flow

The Resource Owner Password Grant Flow uses the user credentials (eg. email and password) directly and sends them in the POST request of the application. Then, an id or access token with a refresh token is returned to the application, which can be fetched from the id_token directly by decoding it, or sending an API call to the userinfo endpoint using the access_token.

The detailed flow of the Resource Owner Password Grant is described below:



• The user provides the credentials (eg. email and password) for the mobile application login.
• The access token request is then sent with grant_type, scope, client_id, client_secret, username, and password as the parameters.
• The access token response is received with an id_token or access_token depending on the scope, expires_in, scope, and token_type.
• After validation of the access token, the resource request is sent, which returns the user information in response. This user information can also be retrieved using the user info endpoint.

Additional Resources

• OAuth Server Single Sign-On(SSO)
• SSO for Mobile Apps with OpenID Connect

If you have any questions or queries or want to discuss your use case, please feel free to reach out at oauthsupport@xecurify.com we will provide you demo and show you the working of the solution so that you are 100% sure about the solution before you decide to purchase it.