Single Sign On between WordPress and a Custom Website

WordPress OAuth /OIDC Login plugin allows login with your Custom Identity Provider / Server. This Single Sign On plugin works with any OAuth / OpenIDC Connect provider that conforms to the OAuth 2.0 and OpenID Connect 1.0 standard.

Slider

 How to setup Single Sign On on WordPress using your custom App/IDP?


Set up single sign on with your custom Identity Provider is possible with our OAuth/OpenID Connect Single Sign On plugin.If you want your users to login to your WordPress site using your Identity Provider credentials it is possible with our plugin. You can SSO users to the WordPress site by using your Custom Provider credentials. Similarly, you can map your WordPress roles based on your Custom Provider attributes/groups. To know more about other features we provide in WP OAuth Client plugin, you can click here.

  • If your application supports standard OAuth 2.0 protocol, select Custom OAuth 2.0 App from the applist
  • If your application supports standard OpenID Connect protocol, select Custom OpenID Connect App from the applist

If your app doesn’t support standard OAuth/OIDC flow, please reach out to us oauthsupport@xecurify.com and we can provide a customized solution as per your use-case.

 What is Single Sign On?


  • Single Sign On is a scheme that allows users to login into multiple applications using single set of credentials i.e Username and Password.
  • In simple term, Single Sign-On(SSO) means login into 1 site / application using the credentials of another app/site.
  • Example- If you have all your Users/Customers/Members/Employees stored on 1 site(ex. gmail, wordpress, etc.), lets say site A and you want all of them to register/login into your WordPress site say site B. In this scenario, you can register/login all your users of site A into Site B using the login credentials/account of Site A. This is call Single Sign-On or SSO.
SSO

 What is OAuth?


  • OAuth (Open Authorization) is an open standard for token-based authentication and authorization which is used to provide single sign-on (SSO).
  • OAuth allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
  • It acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared.
SSO

 Standard OAuth 2.0 Flow


    Client sends the authorization request with a set of query parameters throught the browser which redirect to authorize endpoint on authorization server. This is how sample request looks like

    Standard OAuth 2.0 Request:
    GET <authorization-endpoint>?
           response_type=code
           &client_id=<client_id>
           &redirect_uri=<callback_url>
           &scope=openid&state=<security_token>
    

    • OAuth 2.0 Endpoints
      • 1. Authorization Endpoint: The authorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application.
        Request:
        GET https://authorization-server.com/oauth/authorize
        ?client_id=<client_id>
        &response_type=<code>
        &state=<state>
        &redirect_uri=<redirect_uri>
        &scope=<scope>
        
        Response:
        HTTP/1.1 302 Found
        Location: https://custom-app.com/redirect?code=g0ZGZmNjVmOWI&state=dkZmYxMzE2
        
        2. Token Endpoint: The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an access token.
        Request:
        GET https://authorization-server.com/oauth/token
        grant_type=<grant_type>
        &code=<code>
        &redirect_uri=<redirect_uri>
        
        Response:
        HTTP/1.1 200 OK
        Content-Type: application/json
         
        {
          "access_token":"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
          "token_type":"bearer",
          "expires_in":3600,
          "refresh_token":"IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
          "scope":"create"
        }
        
        3. Userinfo Endpoint: Userinfo endpoint returns claims about authenticated end user.
        Request:
        GET https://authorization-server.com/oauth/v1/userinfo
        Header:
        Authorization : Bearer < access_token / id_token >
        
        Response:
        HTTP/1.1 200 OK
        Content-Type: application/json
        
        {
         "sub"         : "248289761001",
         "name"        : "testuser"
         "given_name"  : "testuser",
         "email"       : "testuser@custom-app.com",
        }
        
    • Grant types supported by our plugin for Custom Providers
      • 1. Authorization Code Grant
        2. Implicit Grant
        3. Refresh Token Grant
        4. Resource Owner Credentials Grant
        5. Client Credentials Grant

    • Difference between Standard and Custom OAuth Providers
    • Standard OAuth Request Custom OAuth Request
      Standard OAuth 2.0 Request:
      GET <authorization-endpoint>?
             response_type=code
             &client_id=<client_id>
             &redirect_uri=<callback_url>
             &scope=openid
      
      Custom OAuth 2.0 Request:
      GET <authorization-endpoint>?
             response_type=code
             &client_id=<client_id>
         
    • There are different requirements for different providers
    • For Example- For some providers scope parameter is not necessary Some providers requires client credentials only in header while some requires in header as well as in the body. Some providers send JWT token under access token parameter. All these cases are handled in our plugin