XeroWP
Keystone OIDC
Keystone OIDC

Keystone OIDC

0/5 (0 ratings) — active installs Updated Jun 23, 2026
authenticationoauth2oidcopenid connectsso
Download v2.3.2 Plugin Website
Screenshot 1

Keystone OIDC transforms your WordPress installation into a fully-featured OpenID Connect (OIDC) identity provider, allowing other applications to authenticate users via your WordPress user database.

Key Features

  • OIDC Authorization Code Flow with PKCE support
  • RS256 JWT signed access tokens and ID tokens
  • Admin UI to create and manage multiple OIDC clients
  • Client secret management – generate and reset secrets securely (shown only once)
  • OIDC Discovery endpoint (/wenisch-tech/keystone-oidc/.well-known/openid-configuration) for automatic client configuration
  • Standard scopes: openid, profile, email
  • Refresh tokens for long-lived sessions
  • Zero additional configuration after install – just create a client and you’re ready

Quick Start

  1. Install and activate the plugin
  2. Go to OIDC Provider Add Client in your WordPress admin
  3. Enter your application name and redirect URI(s)
  4. Copy the generated Client ID and Client Secret (shown once)
  5. Configure your OIDC client application with the discovery URL shown in the settings

Endpoints

All URLs are relative to your WordPress site root.

  • Discovery: /wenisch-tech/keystone-oidc/.well-known/openid-configuration
  • Authorization: /wenisch-tech/keystone-oidc/oauth/authorize
  • Token: /wenisch-tech/keystone-oidc/oauth/token
  • UserInfo: /wenisch-tech/keystone-oidc/oauth/userinfo
  • JWKS: /wenisch-tech/keystone-oidc/oauth/jwks

Compatibility aliases are also routed under /wenisch-tech/keystone-oidc/protocol/openid-connect/* for clients that still derive Keycloak-style paths from the custom issuer URI. These aliases are not advertised in discovery.

UserInfo Example

For openid profile email, /wenisch-tech/keystone-oidc/oauth/userinfo returns:

{
  "sub": "42",
  "name": "Jane Doe",
  "given_name": "Jane",
  "family_name": "Doe",
  "preferred_username": "jane",
  "email": "[email protected]",
  "email_verified": true
}

sub is the WordPress user ID as a string, `preferred_username` is the WordPress `user_login`, and `email` is the WordPress `user_email`.

Roles are not currently emitted. The plugin does not expose WordPress roles or capabilities in UserInfo or ID tokens.

[2.3.0](https://github.com/wenisch-tech/wordpress-keystone-oidc/compare/v2.2.2…v2.3.0) (2026-06-14)

Features

  • consent-screen now uses theme default colors if available (24beefe)

Bug Fixes

  • ensure compability with wordpress v7 (36f0d50)

2.2.2

Released on 2026-06-12.

Bug Fixes

  • updated release versioning and changelog creation (98cfb30)
  • updated repository links (f46b2b6)
  • updatet generation of changelog. (357bded)

Documentation

  • added “Report a bug” button to plugin page (8281f6c)

1.0.0

  • Initial release
  • Authorization Code Flow with PKCE
  • RS256 JWT tokens
  • Multi-client admin UI with secret management
  • OIDC Discovery endpoint
  • Refresh token support