Free WordPress OAuth 2.0 and OpenID Connect SSO plugin

Secure SSO for WordPress, built from the admin outward.

aOAUTH Client SSO 2.6.7 adds provider-based WordPress login, account linking, role-based redirects, configurable sign-in buttons, bot verification, activity logs, and backup tools without a paid license gate.

Download current version View repository
100%
Free
2.6.7
Current
13
Providers

Connect WordPress with identity providers people already use

Google logoGoogle GitHub logoGitHub Microsoft logoMicrosoft Apple logoApple Okta logoOkta Keycloak logoKeycloak Auth0 logoAuth0 OneLogin logoOneLogin GitLab logoGitLab Facebook logoFacebook LinkedIn logoLinkedIn Generic OIDC iconGeneric OIDC Custom provider iconCustom OAuth
Features

SSO that feels native to your site.

Built for WordPress teams that need real OAuth/OIDC flows, administrator control, clear user mapping, and practical troubleshooting tools.

01

OAuth 2.0 and OIDC flows

Starts provider login from WordPress, stores signed state, uses nonce values for OIDC, and supports PKCE S256 during authorization.

02

Provider setup wizard

Add, edit, test, enable, disable, or delete provider applications from the WordPress admin area.

03

User mapping controls

Auto-create WordPress users, choose a default role, link existing accounts, or require password confirmation when an email already exists.

04

Self-service account linking

Let logged-in users link or disconnect SSO providers with the real front-end shortcodes built into the plugin.

05

Configurable sign-in UX

Choose button themes, layouts, login-page placement, front-end brand badge behavior, and bot verification overlay style.

06

Admin tools and logs

Use activity logs, CSV export, log retention, config backup/restore, maintenance cleanup, and factory reset tools.

Providers

Modern identity coverage.

The plugin registers provider classes for social, developer, enterprise, generic OIDC, and custom OAuth identity systems.

Google logo

Google

OAuth sign-in for Google accounts.

GitHub logo

GitHub

Developer-friendly repository identity.

Microsoft logo

Microsoft

Microsoft identity platform support.

Apple logo

Apple

Privacy-forward Apple account login.

Auth0 logo

Auth0

Hosted identity and OIDC workflows.

Okta logo

Okta

Workforce and customer identity access.

Keycloak logo

Keycloak

Open-source identity management.

OneLogin logo

OneLogin

Identity provider application support.

GitLab logo

GitLab

GitLab account authentication.

Facebook logo

Facebook

Social login provider support.

LinkedIn logo

LinkedIn

Professional account authentication.

Generic OIDC icon

Generic OIDC

Standards-based OpenID Connect setup.

Custom provider icon

Custom OAuth

Bring your own authorization server.

Security

Security controls from the actual flow.

The plugin validates login requests, protects OAuth callbacks, and gives administrators tunable defenses for production sites.

State, nonce, and PKCE

Login initiation creates signed state, OIDC nonce values, temporary transients, and PKCE code challenges for authorization requests.

Endpoint and redirect validation

OAuth endpoints are checked as public HTTPS URLs, and redirect targets are validated before users are sent after login.

Bot and rate protection

Optional Cloudflare Turnstile or Google reCAPTCHA v3 verification, login rate limits, and account-linking lockouts are built in.

Setup

Go from repository to working SSO.

Install the free plugin, add a provider in the wizard, and tune the WordPress login experience from the admin tabs.

  1. 1

    Download the plugin

    Download the current source archive from GitHub or review the repository at awhadi/aoauth-client-sso.

  2. 2

    Create and test a provider

    Use the plugin wizard to configure client credentials, scopes, endpoints, discovery data, and the callback URL shown in WordPress.

  3. 3

    Tune users and sign-in

    Choose auto-create behavior, default role, role redirects, account linking, button theme, layout, position, logs, and optional bot protection.

Shortcodes

Real account-management shortcodes.

The plugin exposes shortcodes for logged-in users to manage linked SSO providers on front-end pages.

Link an SSO provider

Shows enabled providers that the logged-in user can link to their own WordPress account. Requires account linking and self-service linking.

[aoauth_link_account]

Disconnect SSO accounts

Shows connected SSO providers for the logged-in user and lets them disconnect a provider after confirmation.

[aoauth_unlink_account]
FAQ

Straight answers before install.

Key details for site owners, developers, and teams planning a WordPress SSO rollout.

Is aOAUTH Client SSO free?
Yes. The plugin is GPLv2 or later and can be downloaded directly from the public GitHub repository.
Where can I download it?
Use the direct current-version download, or review the project at github.com/awhadi/aoauth-client-sso.
Which login providers are supported?
The plugin registers Google, Microsoft, Facebook, GitHub, GitLab, Okta, OneLogin, Auth0, Keycloak, Apple, LinkedIn, Generic OIDC, and Custom OAuth providers.
Can I connect a custom OAuth server?
Yes. The plugin includes a Custom OAuth provider class and endpoint discovery/manual endpoint fields for providers that follow OAuth 2.0 or OIDC standards.
Does it support OpenID Connect?
Yes. OIDC support includes ID token handling, nonce validation, issuer/audience checks, optional JWKS metadata, and silent auto-login checks for supported linked sessions.
Does it add buttons to wp-login.php?
Yes. When login buttons are enabled, configured providers are rendered on the WordPress login screen below or inside the login form, depending on the selected setting.
Which shortcodes are actually available?
The plugin registers [aoauth_link_account] for self-service provider linking and [aoauth_unlink_account] for disconnecting linked SSO providers.
Can it create WordPress users automatically?
Yes. Auto-create users is enabled by default, with a configurable default role. Administrators can disable automatic creation if only existing WordPress users should sign in.
How does account linking work?
If a provider email matches an existing WordPress account, the plugin can require password confirmation before linking. Self-service linking can also be enabled for logged-in users.
What happens after login?
The plugin validates requested redirects and can send users to role-based destinations such as the admin dashboard for administrators or configured front-end paths for other roles.
What security settings are included?
Settings include high or medium security level, login rate limits, public HTTPS OAuth endpoint validation, optional Turnstile or reCAPTCHA v3, and account-linking lockout controls.
Can administrators troubleshoot login issues?
Yes. The plugin includes authentication logs with filtering, CSV export, log retention cleanup, deep debug support, provider test callbacks, and maintenance tools for temporary OAuth data.
Can settings be backed up?
Yes. The Tools screen can export and restore settings and providers. Secrets can be excluded or included as password-encrypted backup values.

Bring free SSO to WordPress.

Install aOAUTH Client SSO from GitHub and give users a cleaner way to sign in.

Download current version Open GitHub repository