OAuth 2.0 is a protocol that allows you to connect to a third-party API securely. Your API docs should tell you whether or not your API uses OAuth 2.0.
This article is a high-level look at the features of the OAuth 2.0 plugin and how the plugin works.
Within the OAuth 2.0 protocol, there are several different types of ‘Grant Types’. These are basically just different methods or variants of OAuth 2.0 and require a slightly different setup to one another. Your docs will tell you which Grant Type it uses.
Our OAuth 2.0 plugin supports the following Grant Types:
- Authorization Code
- Authorization Code with PKCE
- Client Credentials
- We’ve also added a ‘custom’ option for API’s that don’t strictly follow a protocol
Saving Access Token
Once you have filled in and saved your specific OAuth details, a ‘Get Token’ or ‘Authorize’ button will appear, depending on your Grant Type.
Clicking this button will call your OAuth 2.0 token endpoint and if everything is setup correctly, it will return an access token and this access token will be saved in your database for use in your API calls.
Using the Access Token
With the access token saved, you can now setup the API endpoints that you need to call.
Wherever your token needs to be included within these API calls, you simply need to add wpgetapi_oauth_token and the plugin will replace this keyword with the actual token that is saved.
Refreshing the Access Token
The whole point of OAuth 2.0 is that access tokens are short-lived, meaning that they usually expire after an hour or maybe sometimes a little longer. So that after the token is expired, your API calls will no longer work.
Our plugin handles the automatic refresh of tokens so that your access token is always valid.
This is why we use the wpgetapi_oauth_token keyword in place of the actual token. The plugin sees this keyword and looks for a valid access token. If the token is expired or not valid, it will do the necessary token refresh in the background to get a new token that is valid. It then replaces wpgetapi_oauth_token with the new token.
Essentially this plugin is a set-and-forget plugin. It needs to be configured once and then it simply works in the background to keep your access token up to date.