Integrating Keycloak with WordPress

RajeshKumar1

Integrating Keycloak with WordPress allows you to offload authentication and authorization to a centralized Identity Provider (IdP), giving you features like Single Sign-On (SSO), Role-Based Access Control (RBAC), and user federation. Below is a step-by-step guide to fully integrate Keycloak and WordPress for both authentication and authorization.

✅ Prerequisites

A running Keycloak server (on-premises or cloud).
Admin access to your WordPress site.
HTTPS enabled on both WordPress and Keycloak (SSO requires secure endpoints).
A Keycloak realm configured.

🔧 Step-by-Step Integration Guide

Step 1: Install Required Plugin in WordPress

You'll need an OAuth or OpenID Connect plugin. Recommended:

Free: WP OAuth Client by miniOrange
Premium (more features like role mapping): miniOrange OAuth / OIDC SSO Premium

Install:

Go to Plugins > Add New
Search for: miniOrange OAuth
Click Install and then Activate

Step 2: Create a New Client in Keycloak

Go to your Keycloak Admin Console
Select your realm
Click on Clients > Create
Set the following:
- Client ID: wordpress
- Client Protocol: openid-connect
- Root URL: https://your-wordpress-site.com/
Click Save

Step 3: Configure Client Settings in Keycloak

On the Settings tab:

Valid Redirect URIs:
- https://your-wordpress-site.com/*
Base URL:
- https://your-wordpress-site.com/
Admin URL: (optional)
- https://your-wordpress-site.com/wp-admin
Web Origins:
- +

On the Credentials tab:

Copy the Secret – you'll use this in the WordPress plugin.

Step 4: Set up Roles and Mappers in Keycloak (for Authorization)

🔹 Define WordPress Roles in Keycloak:

Go to your Client → Roles
Create roles like: editor, author, subscriber, etc.

🔹 Add Role Mapper:

Go to Client → Mappers
Click Create
- Name: roles
- Mapper Type: User Client Role
- Token Claim Name: roles
- Claim JSON Type: String
- Add to ID token: ON
- Add to access token: ON
- Add to userinfo: ON

Step 5: Configure miniOrange Plugin in WordPress

Go to miniOrange OAuth Client settings in WordPress
Fill the following:

➤ Identity Provider Settings:

Client ID: wordpress
Client Secret: (paste from Keycloak)
Scope: openid profile email
Authorization Endpoint:
- https://<keycloak-domain>/realms/<realm-name>/protocol/openid-connect/auth
Token Endpoint:
- https://<keycloak-domain>/realms/<realm-name>/protocol/openid-connect/token
User Info Endpoint:
- https://<keycloak-domain>/realms/<realm-name>/protocol/openid-connect/userinfo
Click Save Settings

Step 6: Test SSO Login

Visit https://your-wordpress-site.com/wp-login.php
You should now see a “Login with Keycloak” button.
Clicking it should redirect to Keycloak → authenticate → redirect back to WordPress.

Step 7: Map Keycloak Roles to WordPress Roles (Authorization)

If you're using the premium version, you can:

Go to Role Mapping in miniOrange plugin
Map Keycloak role names (like editor, subscriber) to WordPress roles

Alternatively, write a custom PHP hook (free option):

add_filter('mo_oauth_map_user_role', 'map_keycloak_roles_to_wp', 10, 2);
function map_keycloak_roles_to_wp($roles, $user) {
    if (in_array('editor', $user->roles)) {
        $roles[] = 'editor';
    } elseif (in_array('subscriber', $user->roles)) {
        $roles[] = 'subscriber';
    }
    return $roles;
}

✅ Optional: Enable Auto-Registration

If the user doesn't exist in WordPress, enable:

Auto Create Users – so Keycloak users are automatically created in WordPress upon first login.

🔐 Optional: Secure WordPress with Only Keycloak Login

In plugin settings, disable default WP login.
Redirect all login access to Keycloak SSO.

🧪 Troubleshooting Tips

| Problem | Solution |
| ----------------------- | ----------------------------------------------------- |
| 403 error after login | Check redirect URI and web origin in Keycloak |
| Users not getting roles | Check if role mapper is added in Keycloak |
| No login button | Ensure plugin is activated and properly configured |
| "Invalid client secret" | Make sure WordPress secret matches Keycloak's |

🔄 Flow Diagram (SSO)

User → WP Login → Redirect to Keycloak
   → Keycloak Auth → Redirect back with token
   → WordPress uses token to fetch profile
   → Auto-login or auto-register user

🔚 Summary

| Feature | Handled by |
| --------------------- | ------------------------------------------ |
| Authentication (SSO) | Keycloak + OAuth Plugin |
| Authorization (Roles) | Keycloak Role Mapper + Plugin Role Mapping |
| User Management | Keycloak |
| Auto-provision | WordPress plugin settings |

Would you like me to provide a Docker-based local setup of WordPress + Keycloak for dev testing?

RajeshKumar1

Step-by-Step Guide: Integrating Keycloak and WordPress for Authentication & Authorization

Integrating Keycloak (an open-source identity provider) with WordPress allows you to centralize authentication and authorization for your WordPress users. Below, you'll find two popular integration methods—via the OAuth/OpenID Connect protocol and SAML—each using standard or community-supported plugins.

Method 1: OAuth/OpenID Connect with Keycloak

This is the recommended and modern approach. It uses plugins like "WP OAuth Single Sign-On (SSO)" or "OpenID Connect Generic Client".

1. Prepare Keycloak

Create a Keycloak Client:
- Login to the Keycloak admin console.
- Navigate to the relevant realm.
- Go to Clients > Create Client.
- Set Client ID (e.g., wordpress) and Client Protocol to openid-connect.
- Click Next.
- Set Access type to confidential. Save the client.
- Set Valid Redirect URIs to your WordPress OAuth callback URL (e.g., https://yourwordpress.com/* if wildcards are allowed, or plug-in specific).
- After saving, Keycloak will provide a Client Secret under the Credentials tab.

2. Install & Configure the WordPress Plugin

Install a plugin such as:
- "WP OAuth Single Sign-On (SSO)"
- "miniOrange OAuth Single Sign-On"
- "OpenID-Connect-Generic" by Daggerhart[1][2][3][4]
Go to Plugins → Add New, search for your chosen plugin, then install and activate it.
In plugin settings, fill these details (using your Keycloak info):
- Client ID: (from Keycloak)
- Client Secret: (from Keycloak)
- Authorization Endpoint: https:///auth/realms//protocol/openid-connect/auth
- Token Endpoint: https:///auth/realms//protocol/openid-connect/token
- Userinfo Endpoint: https:///auth/realms//protocol/openid-connect/userinfo
- Other scopes and settings as needed (e.g., openid profile email).
Map roles: Many plugins allow you to map WordPress roles to Keycloak roles.
Save the configuration and try a test login.

Method 2: SAML (Alternative)

If you prefer SAML (widely supported in enterprise environments):

1. Prepare Keycloak for SAML

In Keycloak, create a new Client with “SAML” as protocol.[5][6][7]
Set the Client SAML Endpoint to your WordPress SAML plugin’s ACS (Assertion Consumer Service) URL.
Configure other SAML settings as required (NameID format, attributes).

2. WordPress Plugin Setup

Install "SAML Single Sign-On – SSO Login" or "miniOrange SAML SP" plugin.
In plugin setup, specify Keycloak's SAML configuration (metadata, certificate, endpoints).
Map fields as needed (e.g., email, username, role).
Test the SSO connection.

Additional Tips

Role/Group Mapping: Most premium plugins allow dynamic mapping of Keycloak roles/groups to WordPress roles for authorization control.[6][2]
Widgets/Login Buttons: Customize or place SSO login buttons using widget/sidebar options in your chosen plugin.
Troubleshooting: Enable plugin logs to debug integration issues.
Security: Always verify SSL certificates and use strong secrets.

Popular Plugins for Keycloak-WordPress SSO

| Plugin Name | Protocol | Free/Paid | Role Mapping | Notes |
|----------------------------------------|--------------|-----------|--------------|------------------------------------|
| miniOrange SSO (OAuth/OIDC & SAML) | OAuth, SAML | Both | Yes (Premium)| Widely used, strong docs[8][5][6] |
| OpenID-Connect-Generic | OIDC | Free | No | Simple setup[1][4] |
| SAML Single Sign On – SSO Login | SAML | Both | Yes (Premium)| Supports many IdPs[9][10] |

Summary

For most users: Use OAuth/OpenID Connect for easier setup and better integration with modern apps.
For enterprises: Use SAML if your environment or compliance requires it.
Always test with a real user account before rolling out.

You can find detailed screenshots and support on the plugin pages noted above. Integration generally requires only plugin configuration and some copy/paste between Keycloak and WordPress, and you can customize the user experience and authorization behaviors through plugin role-mapping options.[2][11][6][1]

[1] https://www.puppeteers.net/blog/how-to-add-openid-to-wordpress-with-keycloak/
[2] https://wordpress.com/plugins/miniorange-login-with-eve-online-google-facebook
[3] https://www.youtube.com/watch?v=8mx9oYvVWEs
[4] https://github.com/nicko170/wp-openid
[5] https://plugins.miniorange.com/keycloak-single-sign-on-wordpress-sso-saml
[6] https://cloudinfrastructureservices.co.uk/wordpress-sso-single-sign-on/wordpress-sso-using-keycloak-as-saml-idp/
[7] https://www.youtube.com/watch?v=rPG8-lIIHHc
[8] https://plugins.miniorange.com/keycloak-single-sign-on-wordpress-sso-oauth-openid-connect
[9] https://ja.wordpress.org/plugins/saml-sso-wp-single-sign-on/
[10] https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/
[11] https://www.bitcot.com/integration-of-keycloak-with-shopify-and-wordpress/
[12] https://qiita.com/katakura__pro/items/1e65e0bde7fda75332a1
[13] https://openstandia.jp/tech/column/ac_keycloak20231203/
[14] https://qiita.com/s-takino/items/f914c4052a051f19782d
[15] https://lab.astamuse.co.jp/entry/keycloak/kc_gatekeeper_and_wordpress