Third Party Provider Authentication

Third Party Provider Authentication, In which you can use other provider's Access Token or ID token to authenticate your WordPress REST APIs and get resources.

Here, you just need to configure the plugin with Introspection Endpoint/User Info Endpoint provided by your Identity Provider and you will be able to authenticate the API Request using the token provided by your provider application.

Sample Request

Once you get the access token or id token from the OAuth provider you can use it to request the access to the WordPress site as shown below.

    Request: GET /wp-json/wp/v2/posts
    Header: access_token : < access_token > OR id_token : < id_token >

The Header is explained below.

  • access_token OR id_token : The HTTP access_token OR id_token request header contains the token value to authenticate a user agent with a server, usually after unsuccessful authentication the server has responded with a 401 Unauthorized status.

  • < access_token > OR < id_token > : The < access_token > OR < id_token > is created by the Authentication server. When a client application request the authentication server then server authenticates that token and gives response to client application accordingly.

  • cURL
  • Postman
curl -H "access_token: < access_token > OR id_token < id_token >" -X GET http://<wp_base_url>/wp-json/wp/v2/posts 

Click here to download POSTMAN collection export

The server replies with the requested data as the members of a JSON object.

Success Response
Code Status Description
200 SUCCESS Example model:
  "rendered":"Hello World"
  "rendered":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start writing!<\/p>",
Error Response
Code Error Description
400 INVALID_TOKEN You will get this error when you have put an invalid Access Token or expired Access Token.

Example Model:
  "error_description":"Sorry, your token is expired."
401 MISSING_AUTHORIZATION_HEADER You will get this error whenever you don't send Header in the API request or It was removed by your server due to some reasons.

Example Model:
  "error_description":"Authorization header not received. Either authorization header was not sent or it was removed by your server due to security reasons."

NOTE - This error may occur because of server environment, your server may removed your Authorization header due to security reasons.

- If you are using Apache server then put the below line in your htaccess file after the RewriteBase.
  RewriteEngine On
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .*

- If you are using NGINX server then put the below line in your conf file.
  add_header Access-Control-Allow-Headers "Authorization";
400 INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE You will get this error whenever you send the Authorization header but in header you are sending the wrong token type.

Example Model:
  "error_description":"Authorization header must be type of Bearer Token."

Authentication using SAML Identity Provider

  • If you want to restrict the APIs with the SAML compliant Identity Provider's credentials, then it can be done using miniOrange API gateway. Authentication flow is according to the following diagram


  • You can follow this link for the more detailed explaination.