Title: Keystone OIDC Author: jfwenisch Published: Jen 12, 2026 Last modified: Jen 14, 2026 --- Search plugins ![](https://ps.w.org/keystone-oidc/assets/banner-772x250.png?rev=3570198) ![](https://ps.w.org/keystone-oidc/assets/icon-256x256.png?rev=3570198) # Keystone OIDC By [jfwenisch](https://profiles.wordpress.org/jfwenisch/) [Download](https://downloads.wordpress.org/plugin/keystone-oidc.2.3.1.zip) * [Details](https://hat.wordpress.org/plugins/keystone-oidc/#description) * [Reviews](https://hat.wordpress.org/plugins/keystone-oidc/#reviews) * [Installation](https://hat.wordpress.org/plugins/keystone-oidc/#installation) * [Development](https://hat.wordpress.org/plugins/keystone-oidc/#developers) [Support](https://wordpress.org/support/plugin/keystone-oidc/) ## Description Keystone OIDC transforms your WordPress installation into a fully-featured **OpenID Connect (OIDC) identity provider**, allowing other applications to authenticate users via your WordPress user database. #### Key Features * **OIDC Authorization Code Flow** with PKCE support * **RS256 JWT** signed access tokens and ID tokens * **Admin UI** to create and manage multiple OIDC clients * **Client secret management** – generate and reset secrets securely (shown only once) * **OIDC Discovery** endpoint (`/wenisch-tech/keystone-oidc/.well-known/openid- configuration`) for automatic client configuration * **Standard scopes**: `openid`, `profile`, `email` * **Refresh tokens** for long-lived sessions * **Zero additional configuration** after install – just create a client and you’re ready #### Quick Start 1. Install and activate the plugin 2. Go to **OIDC Provider Add Client** in your WordPress admin 3. Enter your application name and redirect URI(s) 4. Copy the generated **Client ID** and **Client Secret** (shown once) 5. Configure your OIDC client application with the discovery URL shown in the settings #### Endpoints All URLs are relative to your WordPress site root. * **Discovery:** `/wenisch-tech/keystone-oidc/.well-known/openid-configuration` * **Authorization:** `/wenisch-tech/keystone-oidc/oauth/authorize` * **Token:** `/wenisch-tech/keystone-oidc/oauth/token` * **UserInfo:** `/wenisch-tech/keystone-oidc/oauth/userinfo` * **JWKS:** `/wenisch-tech/keystone-oidc/oauth/jwks` Compatibility aliases are also routed under `/wenisch-tech/keystone-oidc/protocol/ openid-connect/*` for clients that still derive Keycloak-style paths from the custom issuer URI. These aliases are not advertised in discovery. #### UserInfo Example For `openid profile email`, `/wenisch-tech/keystone-oidc/oauth/userinfo` returns: ``` { "sub": "42", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "jane", "email": "jane@example.com", "email_verified": true } sub is the WordPress user ID as a string, `preferred_username` is the WordPress `user_login`, and `email` is the WordPress `user_email`. ``` Roles are not currently emitted. The plugin does not expose WordPress roles or capabilities in UserInfo or ID tokens. ### [2.3.0](https://github.com/wenisch-tech/wordpress-keystone-oidc/compare/v2.2.2…v2.3.0) (2026-06-14) ### Features * consent-screen now uses theme default colors if available ([24beefe](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/24beefead5ac2fab30e0945c58af3f009a733c1c)) ### Bug Fixes * ensure compability with wordpress v7 ([36f0d50](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/36f0d5040ee72d8f2ad9b76ff07da25ed5649bce)) #### 2.2.2 Released on 2026-06-12. #### Bug Fixes * updated release versioning and changelog creation ([98cfb30](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/98cfb3062232f96346646f915a90198f69b17f51)) * updated repository links ([f46b2b6](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/f46b2b6f2012cd348eab5e73f5ca9410f0efc406)) * updatet generation of changelog. ([357bded](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/357bded5f6cd824859dfc4710d72bdbec60da983)) #### Documentation * added “Report a bug” button to plugin page ([8281f6c](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/8281f6c5cfd9474e785c06eaf562e1a2cb84f47d)) #### 1.0.0 * Initial release * Authorization Code Flow with PKCE * RS256 JWT tokens * Multi-client admin UI with secret management * OIDC Discovery endpoint * Refresh token support ## Screenshots [[ [[ [[ [[ [[ ## Installation 1. Upload the `keystone-oidc` folder to `/wp-content/plugins/` 2. Activate the plugin through the **Plugins** menu 3. Navigate to **OIDC Provider** in the admin sidebar to create your first client Alternatively, download the `keystone-oidc.zip` from the [GitHub Releases](https://github.com/wenisch-tech/wordpress-keystone-oidc/releases) page and upload it via **Plugins Add New Upload Plugin**. ## FAQ ### What OIDC flows are supported? Authorization Code Flow (with and without PKCE). This is the most secure flow and suitable for all application types. ### Where is the client secret stored? Client secrets are **hashed** using WordPress’s password hashing (bcrypt). The plaintext secret is shown only once upon creation or reset and is never stored in the database. ### Does this plugin support multiple clients? Yes – you can create as many OIDC clients as you need from the admin panel. ### What happens if I rotate signing keys? All previously issued tokens will immediately become invalid. Use the **Settings** page to rotate keys when needed (e.g., after a security incident). ### Is PKCE supported? Yes, both `S256` and `plain` code challenge methods are supported. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Keystone OIDC” is open source software. The following people have contributed to this plugin. Contributors * [ jfwenisch ](https://profiles.wordpress.org/jfwenisch/) [Translate “Keystone OIDC” into your language.](https://translate.wordpress.org/projects/wp-plugins/keystone-oidc) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/keystone-oidc/), check out the [SVN repository](https://plugins.svn.wordpress.org/keystone-oidc/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/keystone-oidc/) by [RSS](https://plugins.trac.wordpress.org/log/keystone-oidc/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 2.3.1 ### 󠀁[2.3.1](https://github.com/wenisch-tech/wordpress-keystone-oidc/compare/v2.3.0...v2.3.1)󠁿 (2026-06-14) ### Documentation * ensured tested up to is properly set ([3f2ab22](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/3f2ab22b79a25e4130236a92c0b50c3b7afcc139)) * quickstart section in readme ([20cd0a4](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/20cd0a412caa28ca8ef07198fd121480d03b8a5a)) * updated readme ([960f77f](https://github.com/wenisch-tech/wordpress-keystone-oidc/commit/960f77fba6bdfa96b3637d32aa4c99a2835fe87b)) #### 2.3.0 ## Meta * Version **2.3.1** * Last updated **3 jou ago** * Active installations **Fewer than 10** * WordPress version ** 5.6 or higher ** * Tested up to **7.0** * PHP version ** 7.4 or higher ** * Language * [English (US)](https://wordpress.org/plugins/keystone-oidc/) * Tags * [authentication](https://hat.wordpress.org/plugins/tags/authentication/)[oauth2](https://hat.wordpress.org/plugins/tags/oauth2/) [oidc](https://hat.wordpress.org/plugins/tags/oidc/)[openid connect](https://hat.wordpress.org/plugins/tags/openid-connect/) [sso](https://hat.wordpress.org/plugins/tags/sso/) * [Advanced View](https://hat.wordpress.org/plugins/keystone-oidc/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/keystone-oidc/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/keystone-oidc/reviews/) ## Contributors * [ jfwenisch ](https://profiles.wordpress.org/jfwenisch/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/keystone-oidc/)