Integrate with WordPress

Last updated on Oct 10, 2023

This guide provides information on how to set up Beyond Identity as a passwordless authentication provider for a Wordpress site.

In this guide, you'll:

1. Configure Beyond Identity as an Identity Provider
2. Install and configure the Beyond Identity Passwordless Plugin

Prerequisites

Before continuing, make sure that the following prerequisites have been met:

• A Beyond Identity developer account.

• A live WordPress site running and administrator privileges.

Set up Beyond Identity as an Identity Provider

To set up Beyond Identity as an Identity Provider, you need to create a Realm to hold identities and configuration. Inside that realm, you'll need to create an Application that contains the authentication flow configuration. These can be configured in your Admin Console that was created for you when you signed up for a developer account.

Create a Realm

Creating a realm from the Beyond Identity Admin Console is easy.

1. In the Admin Console, under Tenant Management, select Go to realm > Create new realm.

   

2. Enter a name for your realm and click Create realm.

3. In the confirmation dialog, switch to the new realm.

   

Create an Application

1. From the Admin Console, under Authentication, select Apps > Add new app.

   

2. Give your application a name.

   

3. On the External Protocol tab, use the following values to complete this tab.

   
   

   Client Configuration

Property	Value
Protocol	OIDC Why OIDC? OAuth2 is primarily an authorization framework for resource access, while OIDC builds on OAuth2 to provide an identity layer for authentication, allowing client applications to obtain information about the authenticated user. Both protocols are often used together in modern applications to provide a comprehensive solution for secure authentication and authorization.
Client Type	Confidential Why Confidential? A "confidential" client type is ideal when your application can securely store a client secret and requires enhanced security features for token exchange and accessing user-specific resources. If your application runs in an untrusted environment or you cannot securely manage a client secret, a "public" client type might be more appropriate.
PKCE	Disabled
Redirect URIs	Your redirect URI follows the pattern: https://${your-website-domain.com}/wp-admin/admin-ajax.php?action=openid-connect-authorize
Token Endpoint Auth Method	Client Secret Post
Grant Type	Authorization Code Why Authorization Code? The "authorization_code" grant type is suitable for confidential clients, especially when your application needs to access user-specific resources, requires Single Sign-On (SSO) support, and prioritizes security in the authentication process. It provides a secure and standardized way to obtain access to user data and resources without exposing user credentials to the client application.
All other options	Use the default values for the remaining options

1. Click the Authenticator Config tab and use the following values.

Property	Value
Configuration Type	Hosted Web Why Hosted Web? Hosted Web handles passkey registration and authentication for you, including generating new passkeys, presenting users with authenticator choice options as needed, and validating passkey assertions. With this model, your app simply needs to redirect to Beyond Identity's hosted web authenticator, and we do the rest.
Authentication Profile	Use the recommended values for the remaining options

1. Click Submit to save the new app.

At this point, your Beyond Identity Admin Console should be configured with a realm and an application set up. The Hosted Web handles passkey registration and authentication for you, including generating new passkeys, presenting users with authenticator choice options as needed, and validating passkey assertions. You are now ready to configure the OpenID Connect WordPress plugin.

Configure the Beyond Identity Passwordless Plugin

Install the plugin

note

You must have administrative privileges in WordPress.

The easiest way to install and activate the plugin is directly from your admin dashboard:

1. Log into your Wordpress admin console.
2. Tap on the dashboard Plugins tab.
3. Search for Beyond Identity Passwordless in the seach field.
4. Tap Install and then Active on the plugin card.

You can also follow the installation steps specified in the Beyond Identity Passwordless Installation Guide.

Configure the plugin

After you've installed the plugin, you'll need to configure the plugin.

1. Tap on the dashboard Beyond Identity tab.

WordPress Settings Field	Beyond Identity value
Issuer URL	Copy and paste the Issuer URL value from your application's External Protocol tab.
Client ID	Copy and paste the Client ID value from your application's External Protocol tab.
Client Secret Key	Copy and paste the Client Secret value from your application's External Protocol tab.

2. Click Save Changes.

Congratulations! You have configured the Beyond Identity Passwordless plugin.

Try it out

In this final step, you'll attempt to log in and verify successful authentication.

1. Go to http://your_hostname/wp-login.php to test authentication.

2. Click the Continue with Passwordless button. You'll be redirected to the Beyond Identity Hosted Web Authenticator.

3. At the conclusion of a successful authentication, you'll be redirected to your WordPress admin console or to your site depending on your current role.

4. From the Beyond Identity Admin Console, go to Events to view several successful authentication events.

note

New users are added to your WordPress database with the default user role. Existing user's roles are unchanged. Both types of users will be associated with a Beyond Identity ID (a.k.a "sub" claims from the

The fallback content to display on prerendering

)