I'm working on a project for a client who has their own OAuth2 SSO authentication server they use on multiple different apps.
Previously their Wordpress website was password-protected (in order to access it they used the Password Protected plugin which hid everything on the website until the user input one specific shared password.
Now they want their Wordpress website to:
Immediately redirect to their (non-wordpress) SSO login website
After logging in (or detecting that the user is already logged in) redirect back to the Wordpress site. I already have all the requirements - client ID, realm, secret, I am on the whitelist of the SSO server
There are no requirements to sign REST requests or anything. All the SSO needs is to restrict the data on the wordpress site unless the user is already logged in on their server, or redirect them to the server if they are not logged in and after logging in redirect them back with the redirect-uri parameter.
However, I am having trouble finding the right plugin,since there is no budget fora paid plugin. I have tried miniOrange but in order to restrict all access to users who are not logged in I'd have to use the paid version. Oauth0 is also paid.
Is there any other plugin or a set of plugins that would help me?
In case anyone discovered this post, I managed to finish it myself. I used this plugin but had to manually rewrite it quite a lot, changing the conditions on when to call the authentication endpoint (call it on init rather than on url route parameter change), had to write new code for calling reshresh token endpoint and logout endpoint and all sorts of other stuff.
Sadly, i can't publish the newly edited plugin, since my client wouldn't allow it. The takeaway from this is that if you want SSO against an external identity provider in such a way that without being logged in through your SSO you can't view the page, it's difficult and you'd either have to pay money for an expensive plugin or extend an existing plugin, spending days figuring out how to do it.