Plugin Directory

Test out the new Plugin Directory and let us know what you think.

WP OAuth Server

Create and Manage an OAuth 2.0 server powered by WordPress. Become a Single Sign On Provider and or resource server.


  • Updated Readme
  • Tested with version 4.7-alpha-38677
  • Removed overhead


  • Tested on 4.6 with version update.
  • Added video.


  • Bug fix in openID sub return parameter.
  • Added notice about upgrading and continuation of WP OAuth Server in WordPress plugin repository.


  • Restructuring and clean up.
  • Refresh token controller now accepts parameters properly.
  • Rewrote rewrite functionality to fix issues regarding rewrites on ever load.


  • Removed ALTER query. There is no need and someone updating from older version will experience issues anyways. Step by step upgrading is required.
  • Fixed issues when updating and options key is missing. This caused header errors that have full error reporting on.


  • Updated generateAuthorizationCode() to use wp_generate_password()
  • Fixed bug with expires_in not retuning as integer


  • Updated OAuth2 Library and re-ported to WP.
  • Updated AuthorizationCode handler to manage id_token delivery.
  • Fixed invalid id_token issue.


  • Moved located of do_action('wo_before_authorize_method'); add added $_REQUEST parameter.
  • Rearranged OAuth Server menu for flexibility
  • Added $_REQUEST parameter to wo_before_api action
  • Add wo_failed_login action when login fails for OAuth2\Stoarge::checkPassword during user credentials grant type
  • Added wo_user_not_found action when user is not found when using user credentials

TODOS * Add http://php.net/manual/en/function.apache-get-version.php function check before running it.


  • Added action wo_endpoint_user_authenticated which runs before resource method but after access token authentication.


  • Changed default refresh token lifetime to 10 days
  • Permalinks now check before re-writing
  • Minor code refactoring
  • Added action wo_set_access_token that runs before creating an access token


  • Optimized activate hooks for better performance and consolidation of code.
  • Started minimization of the code to unneeded overhead,
  • Added removal of access tokens when a user resets password.
  • Fixed issue with refresh tokens not being returned when using refresh_token grant type
  • Added functionality to allow for public endpoints.


  • Added MySQL check during install
  • Fixed 404 bug for unset permalinks
  • Minor security improvements


  • Fixed 404 errors when adding/editing clients


  • Addressed security issues on older PHP versions as well as Windows OS.
  • Added checks to help ensure that the environment is supported before WP OAuth Server can be ran.
  • Add filter 'wo_scopes' to allow for extendability.


  • Fixed bug in refresh token that prevented use of refresh tokens


  • Forced all expires_in parameter in JSON to be an integer
  • Add determine_current_user hook for WP core authentication functionality
  • Added authentication support for WP REST API


  • Patch to possible exploit when editing a client.
  • Slight UI changes.
  • Patched auth code table for large id_tokens.
  • Fixed security issue with token lifetime.


  • Client name is not click able to show edit popup
  • Fixed issue with missing exits in API


  • Added specific OpenSSL bit length for systems that are not create keys at 2048 by default.
  • Added urlSafeBase64 encoding to Modulus and Exponent on delivery.
  • Tweak redirect location in API when a user is not logged in


  • Added userinfo endpoint to /.well-known/openid-configuration
  • Fixed improper return of keys when for public facing /.well-known
  • Auto generation of new certificates during activation to ensure all server have a different signature


  • Switched JWT Signing to uses RS256 instead of HS256.
  • Added OpenID Discovery with REQUIRED fields and values.
  • "sub" now complies with OpenID specs for format type.
  • Added JWT return for public key when using OpenID Discovery.


  • Bug fix in OpenID


  • Fixed "Undefined Error" in Authorization Controller. Credit to Frédéric. Thank You!
  • Remove "Redirect URI" Column from clients table to clean up table on smaller screens.
  • Updated banner and plugin icon.


  • Removed permalink check. OAuth Server now works without the use of permalinks.
  • Fixed install functionality. Not all tables were being installed.
  • Added support for cytpto tokens.
  • Added OpenID Connect abilities.
  • Mapped OpenID Claims to default user values
  • Added index to token table and increased access_token length to support crypto tokens in the future.
  • Added "email" to default me resource to support OpenID Connect 1.0
  • Added generic key signing for all clients.
  • Added public endpoint for verifying id_token (/oauth/public_key)


  • Updated Readme.txt content
  • Add more descriptive text during PHP version check
  • Fixed license links
  • Added Access Token and Refresh Token lifetime settings
  • Added upgrade method to ensure proper installing of new features


  • Modified how clients are added and edited
  • Add Pro Features
  • Added additional information to "Server Status" Tab
  • Minor Clean Up


  • Re added Authorization Code Enable Option
  • API unavailable error now uses OAuth Response object
  • API now reports when access token is not provided during resource calls


  • Updated cover image.
  • Fixed documentation links.
  • Added "Server Status" tab
  • Cleaned up "Advanced Configuration" contents.


  • Updated and rebuilt structure.
  • Visit http://wp-oauth.com for documentation and more information.


  • Rebuild init plugin code structure for more flexibility and scalability.
  • Added prefix to all DB connections
  • Changed install query to use the InnoDB engine for better support and performance.
  • Fixed improper loading of plugin style sheet.
  • Removed garbage data when plugin is activated. It was not being used and cluttering the code base as well as the database.
  • Move action template_redirect to rewrites file
  • Added login form support for installs that are installed in sub directory
  • Added missing in documentation for when calling requesting_token
  • Suppressed some errors that was preventing a proper JSON return when WP_DEBUG was enabled.
  • Added a client sample script to help learn the basics of connecting to the provider plugin.
  • Add legacy installer that will hopefully keep old data in tacked while updating to the new structure with no data loss.
  • Removed plugin logging as it was not really needed and caused more issues that it was worth.


  • Fixed Admin URL links for plugin dashboard


  • Fixed Broken login redirect


  • Re-worked Readme.txt
  • Fixed absolute paths causing 404 Error when WordPress is running under a sub directory (Using admin_url() currently)



Requires: 4.3 or higher
Compatible up to: 4.7.2
Last Updated: 5 months ago
Active Installs: 1,000+


4.4 out of 5 stars


6 of 11 support threads in the last two months have been marked resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.