Integration guide · WordPress

WordPress single sign-on with CodeB.

Use the CodeB OpenID Connect provider as the identity source for a self-hosted WordPress site. One account, one password, auto-provisioning on first login, optional role mapping. Works with the popular OpenID Connect Generic plugin — no paid add-on required.

Time to first login: about 10 minutes. Tested against WordPress 6.x with OpenID Connect Generic by daggerhart (the most-installed OIDC plugin on wordpress.org).

Read this before attaching OIDC to an existing WordPress user. OIDC plugins typically link an existing local account to the IdP’s subject identifier (sub) on first sign-in. If the local username/email and the CodeB identity don’t line up correctly, the plugin may create a duplicate WordPress account instead of linking, or in some configurations rewrite the linked user’s role/profile fields on every sign-in. Decide up front who owns each field (WordPress or CodeB), and test with a throwaway user before pointing real admin accounts at OIDC.

Contents

Prerequisites
Install the plugin
Register your WordPress client on CodeB
Configure the plugin
Map claims
Role mapping
Test the round trip
Make a WordPress admin out of a CodeB user
Troubleshooting
Quick reference

1. Prerequisites

HTTPS on both ends. The CodeB IdP enforces HTTPS for any non-loopback redirect URI; WordPress’s callback URL must be on HTTPS too. (If your WordPress is behind a reverse proxy, make sure WordPress sees the correct HTTPS server variable so it generates HTTPS callback URLs.)
WordPress 5.5+ with admin access to install plugins.
Operator access to the CodeB host. You’ll edit one file (clients.json) on the IIS box that runs CodeB. No restart needed; the file is hot-reloaded.
One CodeB user account to test with. Created via the CodeB register.html admin page if you don’t have one yet.

2. Install the OpenID Connect Generic plugin

In WordPress: Plugins → Add New. Search for OpenID Connect Generic. Author should be daggerhart. Click Install Now then Activate. After activation a new section appears under Settings → OpenID Connect Client.

Other OIDC plugins (WP OAuth Server client, miniOrange, etc.) also work — the field names will differ but the values are the same. This guide uses OpenID Connect Generic because it’s free, widely used, and treats CodeB as a generic OIDC provider with no vendor-specific assumptions.

3. Register your WordPress client on CodeB

The CodeB IdP requires every relying party to be pre-registered. Without an entry it returns invalid_client.

On the IIS host running CodeB, edit (or create) the file at:

D:\<your-codeb-deploy>\App_Data\<tenant-domain>\oidc\clients.json

For example, on the public deployment at phone.codeb.io the path is D:\aloaha\phone\App_Data\phone.codeb.io\oidc\clients.json. Add a client entry:

{ "clients": [ { "client_id": "wordpress", // OpenID Connect Generic uses client_secret_post, // so this MUST be a confidential client. "client_secret": "REPLACE_WITH_A_STRONG_RANDOM_64_CHAR_VALUE", "redirect_uris": [ "https://<your-wordpress>/wp-admin/admin-ajax.php?action=openid-connect-authorize" ], "description": "WordPress (OpenID Connect Generic plugin)" } ] }

The redirect URI shape is fixed by the plugin: /wp-admin/admin-ajax.php?action=openid-connect-authorize. Keep the full query string (CodeB matches the entire URL byte-for-byte, query string included). Include the port if your WordPress isn’t on the default HTTPS port.

Save the file. No IIS recycle is needed — the IdP mtime-checks clients.json and reloads it on the next OIDC request.

If you have multiple WordPress sites (staging, prod, blog) sharing the same CodeB tenant, list all their callback URIs in the same redirect_uris array. One client entry can serve many sites.

4. Configure the plugin

In WordPress: Settings → OpenID Connect Client. Fill the form:

Field	Value
Login Type	OpenID Connect button on login form (or Auto Login if you want to force OIDC for everyone)
Client ID	`wordpress` (must match what you put in `clients.json`)
Client Secret Key	Paste the same value you put in `client_secret`
OpenID Scope	`openid profile email`
Login Endpoint URL	`https://phone.codeb.io/oidc.ashx?action=authorize`
Userinfo Endpoint URL	`https://phone.codeb.io/oidc.ashx?action=userinfo`
Token Validation Endpoint URL	`https://phone.codeb.io/oidc.ashx?action=token`
End Session Endpoint URL	`https://phone.codeb.io/oidc.ashx?action=end_session`
ACR values	(leave blank unless you need step-up)
Identity Key	`preferred_username` (the CodeB username)
Nickname Key	`preferred_username`
Email Formatting	`{email}`
Display Name Formatting	`{name}` (falls back to nickname if name is unset)
Link Existing Users	on — match by email when first signing in, then link to OIDC for future logins
Create user if does not exist	on — auto-provision new accounts on first sign-in
Enforce Privacy	off (unless you want to require OIDC for ALL logins, including admin)

Save. The plugin doesn’t auto-discover endpoints — everything is pasted explicitly, which matches CodeB’s philosophy: predictable, auditable, no magic.

The End Session Endpoint URL is important for clean user switching. When a WordPress user signs out, the plugin redirects through this URL, which makes CodeB clear the SSO assertion in the browser’s localStorage at phone.codeb.io. Without it, the next sign-in silently auto-authenticates as the previously-signed-in CodeB user.

5. Map claims

CodeB emits a standard set of OIDC claims. The plugin reads them as follows:

CodeB claim	WordPress field	Notes
`sub`	(internal OIDC subject identifier)	Stable per user. Used to link a WordPress account to a CodeB identity. Don’t reuse subs across users.
`preferred_username`	Username / login	Configurable via “Identity Key”. Becomes the WordPress login on auto-provisioning.
`name`	Display name	From CodeB user profile. Falls back to nickname if blank.
`email`	Email	From CodeB user profile. Used for “Link Existing Users”.
`role`	(not used by the plugin out of the box)	See section 6 for role mapping.
`groups`	(not used by the plugin out of the box)	WordPress doesn’t have a built-in groups concept; some membership plugins can consume `groups` via filters.

Set the user’s profile fields in CodeB’s register.html admin page — Edit the user and fill Name, Email, etc.

6. Role mapping

By default, OpenID Connect Generic creates new WordPress users with the Default Role set under Settings → General (typically Subscriber). Existing linked users keep whatever WordPress role they already had.

To make role assignment driven by CodeB, the easiest path is a small functions.php snippet that reads the role claim on every sign-in:

// In your theme's functions.php or a custom mu-plugin. // Listens for the OIDC plugin's post-login hook and sets the WP role // based on CodeB's "role" claim. Adjust the mapping to taste. add_action( 'openid-connect-generic-user-logged-in', function ( $user, $token_response ) { $claims = json_decode( base64_decode( str_replace( array('-', '_'), array('+', '/'), explode( '.', $token_response['id_token'] )[1] ) ), true ); $codeb_role = isset( $claims['role'] ) ? $claims['role'] : 'user'; $map = array( 'admin' => 'administrator', 'user' => 'subscriber', 'guest' => 'subscriber', ); if ( isset( $map[ $codeb_role ] ) ) { $user->set_role( $map[ $codeb_role ] ); } }, 10, 2 );

Result: every time a CodeB user with role: "admin" signs in, their WordPress role is set to Administrator. Adjust the map to reflect your WordPress role taxonomy (editor, author, contributor, etc.). Drop admin back to subscriber in the same map if you want CodeB-side downgrades to propagate.

This snippet rewrites the WordPress role on every sign-in. If you also manage roles locally in WordPress (granted a user Editor manually), the next OIDC sign-in will overwrite it. Pick one source of truth: either CodeB drives roles (use the snippet) or WordPress does (skip the snippet). Don’t mix.

7. Test the round trip

Open an incognito WordPress login page.
Click the Login with OpenID Connect button under the standard login form.
Your browser bounces to https://phone.codeb.io/login.html.
Enter a CodeB username + password. The browser hashes the password to HA1 locally and posts only the hash — CodeB never sees the plaintext.
On success, you land back at WordPress, signed in. First-time login auto-provisions a WordPress account with the claims above.

Verify in WordPress: Users → All Users shows the new user with the configured email and role. The user record will carry a openid-connect-generic-subject-identity meta key matching the CodeB sub.

8. Make a WordPress admin out of a CodeB user

Two ways:

Manually in WordPress. Sign the user in once via OIDC so the account exists, then go to Users → All Users, edit the user, change Role to Administrator. Don’t use the role-mapping snippet from section 6 (otherwise the next sign-in will revert).
Driven from CodeB. Set the user’s CodeB role to admin in register.html, and use the snippet from section 6 so the role claim maps to Administrator on every sign-in.

For more granular control (editor vs admin, multiple admin tiers, capability-level mapping), look at the openid-connect-generic-user-logged-in hook and combine it with WordPress’s wp_roles() + capabilities API.

9. Troubleshooting

Symptom	Likely cause / fix
`invalid_client` from CodeB	The redirect URI WordPress sent doesn’t match anything in `clients.json`. CodeB requires byte-for-byte match. Check the URI in your browser’s address bar at the moment of the error and copy it verbatim into `redirect_uris`.
`invalid_request` at `/authorize`	Means CodeB expects PKCE (public client) but the plugin isn’t sending a `code_challenge`. Add a non-empty `client_secret` in `clients.json` — CodeB will then treat the client as confidential and accept the request without PKCE.
`invalid_client` at `/token`	The plugin posted the wrong `client_secret`. Open WordPress Settings → OpenID Connect Client and confirm the secret matches `clients.json` exactly (no trailing whitespace, no smart quotes from copy-paste).
WordPress creates a new user on every sign-in instead of linking	The plugin’s Link Existing Users setting must be ON, and the CodeB user’s `email` claim must exactly match the existing WordPress account’s email. Set the email in CodeB’s register.html.
Plugin says “HTTP error” talking to /token or /userinfo	WordPress’s server-side `wp_remote_post` couldn’t reach CodeB. Check firewall rules / proxy settings on the WordPress host. The browser doesn’t do the token exchange — the WordPress PHP process does, and it needs outbound HTTPS to `phone.codeb.io`.
SSL verification failed	Your WordPress host doesn’t trust the CodeB SSL certificate. If you’re self-hosting CodeB with a private CA, install the CA cert in the WordPress host’s trust store, OR enable the plugin’s “Disable SSL verification” option (last resort — do not leave this on in production).
User stays logged in after WordPress logout	Set the End Session Endpoint URL in the plugin config to `https://phone.codeb.io/oidc.ashx?action=end_session`. Without it, the CodeB SSO assertion in browser localStorage survives the WordPress logout and the next sign-in auto-mints as the previous user.
Locked out of admin during testing	Add `?loggedout=true` to the WordPress login URL, or rename the OpenID Connect Generic plugin folder in `wp-content/plugins/` via FTP / SSH to temporarily disable it and regain access via the standard WordPress login.

10. Quick reference

What	Value
CodeB authorize endpoint	https://phone.codeb.io/oidc.ashx?action=authorize
CodeB token endpoint	https://phone.codeb.io/oidc.ashx?action=token
CodeB userinfo endpoint	https://phone.codeb.io/oidc.ashx?action=userinfo
CodeB end_session endpoint	https://phone.codeb.io/oidc.ashx?action=end_session
CodeB discovery document	https://phone.codeb.io/.well-known/openid-configuration
CodeB JWKS	https://phone.codeb.io/oidc.ashx?action=jwks
Default WordPress callback	https://<wordpress>/wp-admin/admin-ajax.php?action=openid-connect-authorize
Supported scopes	`openid profile email`
Signing algorithm	RS256
PKCE	S256 (required for public clients; optional for confidential)
OIDC plugin	OpenID Connect Generic (daggerhart)