Contents
OAuth API Documentation
Authorization Code Grant
-
Authorization Request
- The application first needs to decide which permissions it is requesting, then send the user to a browser to get their permission. To initiate this authorization flow, form a URL as below and redirect the end user's browser to the URL:
GET http://<wp_base_url>/wp-json/moserver/authorize
?response_type=code
&client_id= <client_id_goes_here>
&redirect_uri= <callback_url>
&scope= <permissions_requesting>
&state= <security_token>
https://example-app.com/redirect
?code=<authorization-code>
&state=<security_token>
Token Request
- If the end user granted your app access and you receive an Authorization Code, you can exchange the Authorization Code for an Access Token by making a POST request to the token endpoint.
- The following is an example for POST request:
POST http://<wp_base_url>/wp-json/moserver/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=<authorization_code>&
client_id=<client_id>&
client_secret=<clientSecret>&
redirect_uri=<redirect_uri>
- grant_type=authorization_code : The type of grant you are providing. This tells that the application is using authorization code grant type.
- code : The authorization code recieved in previous step, included here.
- redirect_uri: The same uri that was provided earlier in the authorization request.
- client_id : The client ID provided by the OAuth provider.
- client_secret : The client secret provided by the OAuth provider.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"hkjher92u9eu2u3uihi2eh9293",
"token_type":"bearer",
"expires_in":3600,
"scope":"profile",
"id_token":""
}
- access_token : access token for the Userinfo endpoint.
- token_type : OAuth 2.0 token type value. The value must be Bearer.
- expires_in : The expiry time for the access token.
- scope: One or more space seperated strings which indicates the permission your application requesting.
- id_token: The ID Token is a security token that contains Claims about the authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims
"error" : "invalid_request",
"error_description" : "A more detailed description of the error intended for the developer of your app."
Resource Request
- If the token request is successful, you will get access_token in the response which can be used to access the protected resources via the API.
- Userinfo Request: The following is a non-formative example of Userinfo Request:
GET http://<wp_base_url>/wp-json/moserver/resource
Host: server.example.com
Authorization: Bearer <access_token>
Below is the example:
{
"id": "1",
"username": "abc",
"first_name": "xyz",
"last_name": "example",
"picture": "https://example.com/-kwtzesU/photo.jpg",
"email": "abc@example.com",
"locale": "en",...
}
Implicit Code Grant
-
Authorization Request
- The application first needs to decide which permissions it is requesting, then send the user to a browser to get their permission. To initiate this implicit flow, form a URL as below and redirect the end user's browser to the URL:
Get http://<wp_base_url>/wp-json/moserver/authorize
?response_type=token
&client_id= <client_id_goes_here>
&redirect_uri= <callback_url>
&scope= <permissions_requesting>
&state= <security_token>
https://callback-url?
#access_token=<access_token>
&token_type=Bearer
&expires_in=3600
&scope=<permissions_requesting>
Here, is the description for each parameter received in the response.
- access_token : access token for the Userinfo endpoint.
- token_type : OAuth 2.0 token type value. The value must be Bearer.
- expires_in : The expiry time for the access token.
- scope: One or more space seperated strings which indicates the permission your application requesting.
Resource Request
- The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. The returned Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
- Userinfo Request: The following is a non-formative example of Userinfo Request:
GET http://<wp_base_url>/wp-json/moserver/resource
Host: server.example.com
Authorization: Bearer <access_token>
Below is the example:
{
"id": "1",
"username": "abc",
"first_name": "xyz",
"last_name": "example",
"picture": "https://example.com/-kwtzesU/photo.jpg",
"email": "abc@example.com",
"locale": "en",...
}
Password Grant
- The resource owner password (or "password") grant type is mostly used in cases where the app is highly trusted. In this configuration, the user provides their resource server credentials (username/password) to the client app, which sends them in an access token request.
-
Token Request
- The Password grant is one of the simplest OAuth grants and involves only one step: the application presents a traditional username and password login form to collect the user’s credentials and makes a POST request to the server to exchange the password for an access token. The POST request that the application makes looks like the example below.
POST http://<wp_base_url>/wp-json/moserver/token
Host: authorization-server.com
Content-type: application/x-www-form-urlencoded
grant_type=password
&username=exampleuser
&password=12345678
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
- grant_type=password : This tells the server we’re using the Password grant type
- username= The user’s username that they entered in the application
- password= The user’s password that they entered in the application
- client_id= The public identifier of the application that the developer obtained during registration
- client_secret= The client secret provided by the OAuth provider.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"hkjher92u9eu2u3uihi2eh9293",
"token_type":"bearer",
"expires_in":3600,
"scope":"profile",
"id_token":""
}
Here, is the description for each parameter received in the response.
- access_token : access token for the Userinfo endpoint.
- token_type : OAuth 2.0 token type value. The value must be Bearer.
- expires_in : The expiry time for the access token.
- scope: One or more space seperated strings which indicates the permission your application requesting.
Resource Request
- The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. The returned Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
- Userinfo Request: The following is a non-formative example of Userinfo Request:
GET http://<wp_base_url>/wp-json/moserver/resource
Host: server.example.com
Authorization: Bearer <access_token>
Below is the example:
{
"id": "1",
"username": "abc",
"first_name": "xyz",
"last_name": "example",
"picture": "https://example.com/-kwtzesU/photo.jpg",
"email": "abc@example.com",
"locale": "en",...
}
Client Credentials Grant
- Client Credentials grant can be used for machine to machine authentication. In this grant a specific user is not authorized but rather the credentials are verified and a generic access_token is returned..
-
Token Request
- To receive an access token, the client POSTs an API call with the values for client ID and client secret obtained from a registered developer app as follow.
POST http://<wp_base_url>/wp-json/moserver/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=<client_id>&
client_secret=<clientSecret>&
redirect_uri=<redirect_uri>&
scope=<permisssions_requested>
- The POST request parameters are explained below.
- grant_type=client_credentials : This tells the server we’re using the client credentials grant type.
- client_id= The public identifier of the application that the developer obtained during registration.
- client_secret: The client secret provided by the OAuth provider.
- redirect_uri : Callback Url to which user will be redirected once they allow or disallow the access to your app.
- scope : One or more space seperated strings which indicates the permission your application requesting.
{
"access_token": <access_token>,
"expires_in": 600,
"token_type": "Bearer"
}
- access_token : access token for the Userinfo endpoint.
- expires_in The expiry time for the access token.
- token_type: OAuth 2.0 token type value. The value must be Bearer.
Resource Request
- The Client Credentials Grant does not support Resource Request.
Refresh Token Grant
- A Refresh Token allows the application to issue a new Access Token or ID Token without having to re-authenticate the user. This will work as long as the Refresh Token has not been revoked.
-
Token Request
- The response of token request should contain access token ans refresh token.
{
"access_token": "etMv23....429hiU32Hri",
"refresh_token": "GEbRxBN...edjnXbL",
"token_type": "Bearer"
}
POST http://<wp_base_url>/wp-json/moserver/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&
client_id=<client_id>&
client_secret=<client_secret>&
refresh_token=<refresh_token>
- grant_type=refresh_token : This tells the server we’re using the refresh token grant type.
- client_id= The public identifier of the application that the developer obtained during registration.
- client_secret: The client secret provided by the OAuth provider.
- refresh_token : The refresh token to use.
{
"access_token": "eyJ...MoQ",
"expires_in": 86400,
"scope": <scope>,
"id_token": "eyJ...0NE",
"token_type": "Bearer"
}
Revoke a Refresh Token
- Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.
- To revoke a Refresh Token, you can send a POST request to token endpoint as follows.
POST http://<wp_base_url>/wp-json/moserver/token
Content-Type: application/x-www-form-urlencoded
client_id=<client_id>&
client_secret=<client_secret>&
refresh_token=<refresh_token>
If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Wordpress OAuth Server.
Watch the videos to learn more
Watch Demo
×
![ADFS_sso]()
Trending searches:
Hello there!
Need Help? We are right here!
Contact miniOrange Support
Thanks for your inquiry.
If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com
Cookie Preferences
Cookie Consent
This privacy statement applies to miniorange websites describing how we handle the personal information. When you visit any website, it may store or retrieve the information on your browser, mostly in the form of the cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not directly identify you, but it can give you a more personalized web experience. Click on the category headings to check how we handle the cookies. For the privacy statement of our solutions you can refer to the privacy policy.
Strictly Necessary Cookies
Always Active
Necessary cookies help make a website fully usable by enabling the basic functions like site navigation, logging in, filling forms, etc. The cookies used for the functionality do not store any personal identifiable information. However, some parts of the website will not work properly without the cookies.
Performance Cookies
Always Active
These cookies only collect aggregated information about the traffic of the website including - visitors, sources, page clicks and views, etc. This allows us to know more about our most and least popular pages along with users' interaction on the actionable elements and hence letting us improve the performance of our website as well as our services.