Keystone OIDC
| 开发者 | jfwenisch |
|---|---|
| 更新时间 | 2026年6月24日 01:41 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Keystone OIDC transforms your WordPress installation into a fully-featured OpenID Connect (OIDC) identity provider, allowing other applications to authenticate users via your WordPress user database.
Key Features
- OIDC Authorization Code Flow with PKCE support
- RS256 JWT signed access tokens and ID tokens
- Admin UI to create and manage multiple OIDC clients
- Client secret management – generate and reset secrets securely (shown only once)
- OIDC Discovery endpoint (
/wenisch-tech/keystone-oidc/.well-known/openid-configuration) for automatic client configuration - Standard scopes:
openid,profile,email - Refresh tokens for long-lived sessions
- Zero additional configuration after install – just create a client and you're ready
- Install and activate the plugin
- Go to OIDC Provider → Add Client in your WordPress admin
- Enter your application name and redirect URI(s)
- Copy the generated Client ID and Client Secret (shown once)
- Configure your OIDC client application with the discovery URL shown in the settings
- Discovery:
/wenisch-tech/keystone-oidc/.well-known/openid-configuration - Authorization:
/wenisch-tech/keystone-oidc/oauth/authorize - Token:
/wenisch-tech/keystone-oidc/oauth/token - UserInfo:
/wenisch-tech/keystone-oidc/oauth/userinfo - JWKS:
/wenisch-tech/keystone-oidc/oauth/jwks
/wenisch-tech/keystone-oidc/protocol/openid-connect/* for clients that still derive Keycloak-style paths from the custom issuer URI. These aliases are not advertised in discovery.
UserInfo Example
For openid profile email, /wenisch-tech/keystone-oidc/oauth/userinfo returns:
{
"sub": "42",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "jane",
"email": "jane@example.com",
"email_verified": true
}
sub is the WordPress user ID as a string, preferred_username is the WordPress user_login, and email is the WordPress user_email.
Roles are not currently emitted. The plugin does not expose WordPress roles or capabilities in UserInfo or ID tokens.
安装:
- Upload the
keystone-oidcfolder to/wp-content/plugins/ - Activate the plugin through the Plugins menu
- Navigate to OIDC Provider in the admin sidebar to create your first client
keystone-oidc.zip from the GitHub Releases page and upload it via Plugins → Add New → Upload Plugin.常见问题:
What OIDC flows are supported?
Authorization Code Flow (with and without PKCE). This is the most secure flow and suitable for all application types.
Where is the client secret stored?
Client secrets are hashed using WordPress's password hashing (bcrypt). The plaintext secret is shown only once upon creation or reset and is never stored in the database.
Does this plugin support multiple clients?
Yes – you can create as many OIDC clients as you need from the admin panel.
What happens if I rotate signing keys?
All previously issued tokens will immediately become invalid. Use the Settings page to rotate keys when needed (e.g., after a security incident).
Is PKCE supported?
Yes, both S256 and plain code challenge methods are supported.
更新日志:
2.3.2
2.3.2 (2026-06-23)
Bug Fixes
- ensure state sanitization does not malform string upon callback (b6c54be)
- ensured tested up to is properly set (3f2ab22)
- quickstart section in readme (20cd0a4)
- updated readme (960f77f)
- consent-screen now uses theme default colors if available (24beefe)
- ensure compability with wordpress v7 (36f0d50)
- updated release versioning and changelog creation (98cfb30)
- updated repository links (f46b2b6)
- updatet generation of changelog. (357bded)
- added "Report a bug" button to plugin page (8281f6c)
- Initial release
- Authorization Code Flow with PKCE
- RS256 JWT tokens
- Multi-client admin UI with secret management
- OIDC Discovery endpoint
- Refresh token support