WordPress.com provider for OAuth 2.0 Client

This package provides WordPress.com OAuth 2.0 support for the PHP League's OAuth 2.0 Client.

Requirements

This package uses WordPress.com Connect to authenticate users with WordPress.com accounts.

Requirements to use this package:

• PHP >= 5.6
• a WordPress client ID and client secret, referred to as {wordpress-client-id} and {wordpress-client-secret}. Follow the WordPress Apps instructions to create the required credentials

Installation

Use composer to install:

composer require layered/oauth2-wordpress-com

Usage

Usage is the same as The League's Abstract OAuth client, using \Layered\OAuth2\Client\Provider\WordPressCom as the provider.

Authorization Code Flow

use Layered\OAuth2\Client\Provider\WordPressCom;

$provider = new WordPressCom([
	'clientId'		=>	'{wordpresscom-client-id}',
	'clientSecret'	=>	'{wordpresscom-client-secret}',
	'redirectUri'	=>	'https://example.com/callback-url',
	'blog'			=>	'https://example.com'		// optional - request auth for a specific blog
]);

if (isset($_GET['error'])) {	// Got an error, probably user denied access
	
	exit('Error: ' . htmlspecialchars($_GET['error_description'] . ' (' . $_GET['error_description'] . ')', ENT_QUOTES, 'UTF-8'));

} elseif (!isset($_GET['code'])) {	// If we don't have an authorization code then get one

	$authUrl = $provider->getAuthorizationUrl();
	$_SESSION['oauth2state'] = $provider->getState();
	header('Location: '. $authUrl);
	exit;

} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {	// Check given state against previously stored one to mitigate CSRF attack

	unset($_SESSION['oauth2state']);
	exit('Invalid state');

} else {

	// Try to get an access token (using the authorization code grant)
	$token = $provider->getAccessToken('authorization_code', [
		'code' => $_GET['code']
	]);

	// If auth was for a single site or global access, token contains extra blog info
	$tokenValues = $token->getValues();
	echo 'Blog ID: ' . $tokenValues['blog_id'] . '<br>';
	echo 'Blog URL: ' . $tokenValues['blog_url'] . '<br>';

	// Get user profile data
	try {

		// We got an access token, let's now get the user's details
		$user = $provider->getResourceOwner($token);

		// Use these details to create a new profile
		printf('Hello %s!', $user->getName());

	} catch (\Exception $e) {

		// Failed to get user details
		exit('Something went wrong: ' . $e->getMessage());
	}

	// Use this to interact with an API on the users behalf
	echo $token->getToken();
}

Available Options

The WordPressCom provider has the following options:

• blog can be a blog URL or blog ID for a WordPress.com blog or Jetpack site
• scope to request access to additional data

Scopes

When creating the authorization URL, specify the scope your application may authorize. Available scopes for WordPress.com:

• auth for authentication only, grants access to /me endpoints
• global access to all user's sites and data
• '' (empty) access to a single blog, specified in request or chosen by user

Get access to user profile

$provider->getAuthorizationUrl([
	'scope'	=>	'auth'
]);

Get access to user profile & a single blog

$provider->getAuthorizationUrl([
	'scope'	=>	''
]);

Testing

composer test

Credits

• Layered
• All Contributors

License

The MIT License (MIT). Please see License File for more information.