How to implement a distributed OAuth 2.0 system

Some months ago (more than a year), I was playing with the WordPress REST API. I did an analysis about how to implement a distributed OAuth 2.0 system as an attempt to collaborate with the community. I wrote it as a comment over a discussion post, but I am going to replicate that here in order to save it with my other ideas and works.

  • is the site of the app
  • is the WP site of the developer in which I defined the app as multitenant
  • is the WP site of the user who wants authorize to interact

01- User access to and says “Hey, I want to use this cool app”
02- ask for its server and user writes
03- ask to to identify the user
04- the user writes his credentials in
05- redirects to with a code saying “Yeah, this man is my man”
06- then ask to and says “Hey, I have a user with a code that wants to acces to the resource and I am the (this is my client_id and this my client_secret)”
07- generates a token
08- says to “Hey, I just generated this token that expires in 3600 seconds”
09- says “I would prefer not to work, but you know, it’s ok”
10- sends the response to with the token
11- then using the token, can now ask to to do some stuff

If you look at this diagram

Abstract Protocol Flow
Abstract Protocol Flow

Client =
Resource Owner =
Authorization Server =
Resource Server =

The RFC says:

“The interaction between the authorization server and resource server
is beyond the scope of this specification. The authorization server
may be the same server as the resource server or a separate entity.
A single authorization server may issue access tokens accepted by
multiple resource servers.”

but with some conversation like the one in 8 and 9 it could be resolved.

Autor: Javi López

Arquitecto/desarrollador, creativo, buscador de nuevas soluciones y modelos de negocio, crítico constructivo y ex muchas cosas

Thank you very much for sharing your opinion with the world

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.