Description

WP OAuth Server plugin turns your WordPress site into an OAuth Server, enabling Login with WordPress. It allows you to login into Rocket Chat, Invision Community, WordPress, Odoo, EasyGenerator, Salesforce, Zapier, Moodle WordPress SSO, ServiceNow, Edunext, Wickr, Freshdesk, FreshWorks, ServiceNow, ShinyProxy, Knack database, Circle.so, Tribe.so, Tribe, Mobilize, Nextcloud SSO, Church Online, iSpring LMS, Academy of Mine, BoardEffect, TalentLMS, Laravel, PowerSchool, PowerSchool, Joomla, HubSpot SSO, shopify sso integration, MeritHub, Bookstack, Pimcore, 360 Learning, EventMobi, Synology, Drupal, Piano Analytics, Zerotier, and any other OAuth 2.0 compliant applications using WordPress SSO credentials.

| WordPress OAuth Server Setup Guides | API Documentation | Demo / Trial |

You can checkout the below video tutorial to know how to setup SSO with your OAuth/OpenID Compliant Applications.

Basically, the OAuth Server plugin allows users to login into applications that are OAuth 2.0 compliant, facilitating oauth server SSO using their WordPress login credentials. As it’s name suggests, it follows the OAuth 2.0 protocol. Along with that, it also supports OpenID Connect (OIDC), and JWT protocols.

The primary goal of the OAuth Server plugin is to provide Single Sign-On Login with WordPress, so users do not need to remember a username and password for each application.
Using WordPress as OAuth Server, once Single Sign On is enabled, users do not need to store sensitive information to login into different applications.

Discovery URL
The discovery url / well-known endpoint can be used to get metadata about your Identity Server, essential for setting up oauth server SSO. It will return information about the OAuth/OpenID endpoints, issuer URL, supported grant types, supported scopes, key material along with claims in the JSON format. These details can be used by the clients to create an OpenID server request, enhancing the WordPress SSO experience. The well known configuration URL is accessible via /.well-known/openid-configuration, in relation to the issuer URL.

JWT Token Verification
JWT signing, which ensures the integrity of the tokens used during the WordPress SSO process, supports both symmetric and asymmetric algorithms provided by the OAuth Server. The plugin’s free version supports HS256, while the premium version supports RS256, enhancing security especially in scenarios involving HubSpot SSO and Nextcloud SSO.

HS256, a symmetric signature algorithm, indicates that the signature is generated and verified using the same secret key. It is supported in the free version of the OAuth Server plugin, which is useful for basic OAuth Server SSO configurations.

RS256, an asymmetric signature algorithm is different from a symmetric algorithm in that a pair of private and public keys is used to sign and validate the data respectively instead of a single secret key in an oauth server SSO setup.

Why RSA algorithm should be used?
The use of a public and private key pair makes RS256 more secure in comparison to HS256 where the public key is shared and might be compromised whereas in RS256, even if you do not have the control over your client, your data remains secure as it is signed using a private key. The premium version of the OAuth Server plugin supports the RS256 algorithm.

Postman collection
Postman collection JSON is a file that can be used for testing the configuration of OAuth 2.0 flow in the WP OAuth Server plugin without configuring an external OAuth Client by generating the access token and the API call to the resource endpoint subsequently.

LIST OF POPULAR OAUTH CLIENTS SUPPORTED

Rocket.Chat
Invision Community (IPB Forum)
Odoo
WordPress SSO into other WordPress Sites
EasyGenerator
Salesforce
Zapier
Moodle
Edunext
Wickr
Freshdesk
FreshWorks
ServiceNow
Knack database
Circle.so
Tribe.so
Mobilize
Nextcloud
iSpring LMS
Church Online
Academy of Mine
BoardEffect
Laravel
PowerSchool
Joomla
HubSpot
Shopify
MeritHub
Bookstack
Pimcore
360 Learning
EventMobi
Synology
Drupal
Piano Analytics
Zerotier

WORDPRESS OAUTH / OPENID CONNECT SERVER USE CASES

If you want to use your WordPress site as an Identity Server / OAuth Server / OAuth Provider and utilize Login with WordPress to access your client site/application with WordPress user’s login credentials, then you can use this plugin. You can also decide what kind of user data/attributes you want to send while Single Sign-On into your client site/application, including Moodle WordPress SSO and Nextcloud SSO functionalities.
If you want to login to your Mobile app / Single Page web app (SPA) using your WordPress credentials, then you can use the Authorization code with PKCE flow grant type to achieve your use case.
Single set of credentials will be used to login to multiple WordPress websites.
You can access the NGINX resources using NGINX Authentication. Once you login into your client application using WP OAuth Server credentials, you will get JWT. Your client application can further use it for NGINX Authentication.
Membership sync or role mapping is used to sync the memberships or roles assigned to your users from OAuth Server to OAuth/OpenID Client.
Custom Attribute Mapping is helpful if you want to send additional attributes (beyond the default ones) from your WordPress usermeta table to your OAuth/OpenID client using Login with WordPress.

WORDPRESS OAUTH / OPENID CONNECT SERVER FREE VERSION FEATURES

Supports Login with WordPress for Single Client application
Protocol Support: OAuth 2.0, OpenID Connect (OIDC)
Discovery document / well-known endpoint for automatic configuration
JWT signing using HS256 or RS256 algorithm (Note: In RS256 algorithm, the keys will be common for all the free version installations)
Postman collection for testing OAuth 2.0 flow without actually configuring the client application
Server Response: Sends User ID, username, email, first name, last name, display name in the response
Grant types Supported: Authorization Code grant
Multi-Site Support: Implement the WordPress as OAuth Server within a WordPress Multisite network environment to Login with WordPress users into configured applications.
Master Switch: Block / unblock OAuth API calls between OAuth Clients and OAuth Server
Token Length: Change the access token length
OAuth API Documentation
Setup guides to configure the plugin with various OAuth Clients (more coming soon)

WORDPRESS OAUTH / OPENID CONNECT SERVER PREMIUM VERSION FEATURES

All FREE version features
Supports Login with WordPress for Multiple Client applications
Server Response: Sends all the profile attributes along with roles, allows to send custom attributes from usermeta table and also customize the attribute names that need to be sent in server response
Grant Types Supported: Authorization Code Grant, Implicit Grant, Password Grant, Client Credentials Grant, Refresh Token Grant, Authorization Code grant with PKCE flow
Token Lifetime: Configure the access token and refresh token expiry time
Enforce State Parameter: Based on client configuration, you can enable or disable state parameter
Authorize / Consent prompt: Enable / disable the consent screen
Redirect / Callback URI Validation: Enable / disable this feature, based on dynamic redirect to a different pages for certain conditions
JWT Signing Algorithm: Supports signing algorithms HSA and RSA (with dynamic keys for each client setup)
Additional endpoints: Provides Introspection endpoint, OpenID Connect Single logout endpoint, Revoke endpoint

A grant is a method of acquiring an access token. Deciding which grants to implement depends on the type of client the end user will be using, and the experience you want for your users.

WE SUPPORT FOLLOWING GRANTS:

Authorization code grant : This code grant is used when there is a need to access the protected resources on behalf of the user on another third party application.
Implicit grant : This grant relies on resource owner and registration of redirect uri. In authorization code grant users need to ask for authorization and access token each time, but here access token is granted for a particular redirect uri provided by a client using a particular browser.
Client credential grant : This grant type heads towards specific clients, where access token is obtained by client by only providing client credentials. This grant type is quite confidential.
Resource owner password credentials grant : This type of grant is used where the resource owner has a trust relationship with the client. Just by using username and password, provided by resource owner authorization and authentication can be achieved.
Refresh token grant : Access tokens obtained in OAuth flow eventually expire. In this grant type client can refresh his or her access token.
Authorization code grant with PKCE flow : This grant type is used for public clients like mobile and native apps, Single Page web apps, where there is a risk of client secret being compromised.

REST API AUTHENTICATION

Rest API is very much open to interact. Creating posts, getting information of users and much more is readily available.
It secures unauthorized access to your WordPress sites/pages using our WordPress REST API Authentication plugin .

Screenshots

Add OAuth Client
Get Client ID and Client Secret
Configurations
Advanced settings and other Premium features
Server Response
Endpoints
Demo for premium plugin

Installation

From your WordPress dashboard

Visit Plugins > Add New
Search for OAuth 2.0 server. Find and Install OAuth 2.0 server
Activate the plugin from your Plugins page

From WordPress.org

Download OAuth 2.0 server.
Unzip and upload the miniorange-oauth-login directory to your /wp-content/plugins/ directory.
Activate miniOrange OAuth from your Plugins page.

FAQ

I need to customize the plugin or I need support and help?: Please email us at info@xecurify.com or Contact us. You can also submit your query from plugin’s configuration page.
I want a demo or trial of the plugin: For the demo or trial of the plugin, you can submit a request from the Trials Available tab in the plugin or directly email us at wpidpsupport@xecurify.com
The plugin is not working on my localhost: If you are using the plugin on localhost, please make sure your site is reachable from your OAuth Client side. If not, you can host your WordPress site publicly to make it work.
Do I need to pay for all the users in my database while upgrading to premium?: No, the pricing in the plans is only for the ACTIVE USERS. An active user is the one who performs the SSO. For example, if you have 5000 users in the database but only 1000 of them perform the SSO, then you would need to pay only for the 1000 users.
Can I get discount if purchasing multiple licenses?: Yes, you are eligible for a discount, if you are purchasing more than 1 license. You can contact us at wpidpsupport@xecurify.com.
Do you support membership/role sync?: Yes, membership/role sync feature is supported in the premium plan. You can contact us at wpidpsupport@xecurify.com with your requirement.
How can I disable the consent screen?: Yes, you can enable/disable consent screen using the premium plan.

Reviews

alvesyane May 1, 2025

a question arose, we went to the site, found a problem, and wrote back!

joshnelsonmarks April 25, 2025

Really happy with the plugin and level of support so far- well worth the investment. Thanks Miniorange!

Sven Hüttepohl August 25, 2023

I was able to work with MiniOrange’s support team to set up my WP website as an OAuth server and Bookstack as a client in no time. They were incredibly quick to respond to my questions. The plugin is really great and the support is perfect. Thank you very much and keep up the good work! in german: Ich habe mit dem Support-Team von MiniOrange zusammen meine WP-Website als OAuth-Server und Bookstack als Client in küzester Zeit einrichten können. Sie haben unglaublich schnell auf meine Fragen mit geantwortet. Das Plugin ist wirklich toll und der Support ist perfekt. Vielen Dank und macht weiter so!

aleckretch July 11, 2023

The plugin works exactly as advertised, and the support was quick to respond and help answer our questions. Highly recommend!

eddivalen April 27, 2023

Having worked with MiniOrange’s support team this month to set up my WP site as an OAuth server and my Bubble app as a client, I can confidently say that I highly recommend their OAuth plugin.They were always available to answer my questions and even went above and beyond by scheduling two meetings with me to make sure everything was set up properly.Keep up the great work!

darrennye April 26, 2023

I’ve been using the WordPress OAuth Server plugin for 2 to 3 years, with Rocket.Chat as the OAuth Client – so authenticated WordPress users, could then connect to Rocket.Chat as an authenticated user, without having to sign in again. At one point maybe a year ago, they were on maybe version 3 or 4, and the plugin stopped working. At the time, their support said that I’d need to pay for their pro plan for this functionality, which started at $400 annual for a limited number of users, which was beyond our budget. So I downgraded and stuck with the older free plugin. But then out of the blue, their newer plugin version 5 was updated to allow this to work again. However the subsequent upgrading of Wordpress, miniorange, other plugins, and RocketChat, made everything stop working again. And then RocketChat just woudn’t run. The entire thing was completely frustrating. I ended up creating a new chat server and installing Rocket.Chat from scratch. But I couldn’t figure out the exact combination of settings in mini-orange and the Custom Oath of Rocket.Chat, to get it all working. I opened a ticket with MiniOrange and pleaded for their help. I was extremely surprised that they spent the time (2 people, a jr tech and a senior tech) to talk to me voice (I think they were 12 hours ahead of me though), then remote into my WordPress and Rocket.Chat settings, to configure exactly what was needed on both sides. For free. At one point I saw a post, somewhere, that said they were going to start charging $30 or something for support cases. That would be well worth it, for the time they spent to get me up and running. But at this point, they provided the help for free. If anyone needs help with the exact settings between WordPress, miniorange OAuth server, and Rocket.Chat custom oauth settings – let me know. Darren

Read all 40 reviews

Contributors & Developers

“WP OAuth Server ( Login with WordPress )” is open source software. The following people have contributed to this plugin.

Translate “WP OAuth Server ( Login with WordPress )” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

6.1.1

WordPress 6.8 compatibility.
Improved usability of Advanced Settings tab.

6.1.0

WordPress 6.7 compatibility.
PHP 8.3 compatibility.
Added new action links to the plugin.
Updated forgot password link.

6.0.9

Fixed PCP warnings.
Improved the JWKS flow security notice.

6.0.8

WordPress 6.6 Compatibility.
UI improvements
Bugfix: Handled error being caused on wp cache flush command.

6.0.7

Bug Fix: Added missing kid claim in JWT authentication flow.

6.0.6

Bug Fix: Fixed issue with JSON state parameter
Added compatibility with WP 6.5

6.0.5

Fixed the backslash issue for linux environments.

6.0.4

UI & UX improvements for feedback and support forms.
Fixed client secret visibility issue for React and Conferences.io clients
Fixed consent screen cancel button

6.0.3

Added compatibility with WP 6.4
Phone number optional in support form.
Fixed some JS errors.

6.0.2

Added compatibility with WP 6.3
Improved feedback form.
Removed unnecessary console logs.

6.0.1

Bug fix – Custom OAuth Client logo image link fixed.
Updated support email address.

6.0.0

Complete UI revamp for a more user-friendly and intuitive experience
Backend simplification for improved performance and reliability
Bug fixes and performance enhancements

5.1.1

Added compatibility with WP 6.2
Fixed the deactivation feedback form issue

5.1.0

Added Custom Login URL feature
Fixes for empty scope
Set RSA algorithm as default
Disabled Enforce State by default
Fixed the demo email issue
phpcs fixes
updated FAQ

5.0.7

Added scope based response filter
Minor bug fixes

5.0.6

Made compatible for WP Multisite
Added debug logs

5.0.5

Compatibility with WordPress version 6.1

5.0.4

Added RSA algorithm support with common keys
Authorize endpoint fix
Other bug fixes

5.0.3

Fixed issue with gravity form

5.0.2

Fixed the client secret migration issue
Readme update

5.0.1

Discovery/.well-known/issuer url now supported
Added support for HS256 algorithm for JWT token verification
Added postman collection to test configurations
Client secret is now stored in encrypted format

4.0.1

Vulnerability fixes
Code improvements

3.0.4

Token Post Response header already sent warning fix

3.0.3

Database Query Optimization

3.0.2

CORS issue fix
Added trial option of the premium
Licensing page changes

3.0.1

Added compatibility with WP 5.9
Improved performance of website by setting autoload to false

3.0.0

Support for email attribute in the userinfo endpoint
Link to the OAuth API documention
Client specific UI improvements

2.13.8

Security Fixes

2.13.7

UI improvement – Copy button for endpoints and client credentials
Bug fix for supplied_redirect_uri
Consent screen on every login

2.13.6

permission_callback warning fix

2.13.5

minor bug fixes
added copy button to copy the client credentials and endpoints
readme update

2.13.4

minor UI updates
added compatibility with WP 5.7

2.13.3

minor bug fixes
fixed compatibility with Brizzy
added compatibility with WP 5.6

2.13.2

minor bug fixes
fixed issue with deactivation form
added compatibility with WP 5.5

2.13.1

Added compatibility with WordPress v5.5

2.13.0

Added UI fixes
Updated demo plan fixes
Minor bugfixes and compatibility fixes

2.12.4

Licensing tab fix

2.12.3

Added fixes for some features
Added option to disable authorize screen

2.12.2

Added Compatibility with WordPress v5.4

2.12.0

Performance Improvements

2.11.0

Fixed bug where blank scope led to blank screen
Fixed “Deny” button resulting in clicking “Allow”
Fixed unaccounted bytes error notice on activation
Updated plugin licensing
Minor UI Improvements

2.10.0

Added fixes for Loopback Request failure
Updated Endpoints based on REST API and Authorize Consent Screen
Minor Bugfixes

2.9.1

Fixed migration issue

2.9.0

Fixed bug where bearer access_token was not recognized.
Updated Endpoints

2.8.2

Updated Installation Steps

2.8.1

Compatibility changes for miniOrange OAuth Single Sign On

2.8.0

Updated registration form
Advertised Introspection Endpoint

2.7.0

Added compatibility for WordPress Version 5.2
Added fixes for OpenID Connect flow
Added fixes for OTP related issue
Updated Endpoints
Added alternative for Sign Up
Advertised Scope Based Response

2.6.1

Fixed conflicts for function generateRandomString()

2.6.0

Advertised new features as per new Licensing Plan

2.5.6

Added Compatibility for Rocket.chat

2.5.5

Fixed OTP related issue

2.5.4

Updated Licensing Plan

2.5.3

Added Visual Tour fixes

2.5.2

Added bugfixes

2.5.1

Added missing files

2.5.0

New Features
Major UI Revamp
Added Feature Tour

2.4.0

Compatibility with WordPress 5.1

2.3.0

Added Feedback Form and Updated UI

2.2.1

Added support for Invision Community and Rocket.chat

2.2.0

Updated UI

2.1.0

Fixed the PHP7.2 Compatibility issue

2.0.3

Changes in the title

2.0.2

Added features

2.0.1

Added support for multiple client

1.0.1

Initial Release

cool guys!

Excellent support

great support for a great plugin

Great plugin with great support!

Amazing Experience with MiniOrange OAuth plugin (WP + Bubble)

Outstanding Support – even for free version?!?