v1.0.0
initialFirst public release. SSOPress is live on WordPress.org with a complete OAuth 2.0 / OIDC flow, user provisioning, encrypted credential storage, and rate-limited endpoints.
Features
- OAuth 2.0 authorization code flow with PKCE-style state validation
- OpenID Connect userinfo support with standard and custom claim mapping
- Automatic WordPress user creation and profile sync on each login
- Dot-notation attribute mapping for nested claim structures
- Custom login button on wp-login.php with optional hiding of the standard form
- Admin backdoor via
?oauthlogin=falseto recover access if OAuth misconfigures
Security
- Client secret encryption at rest via libsodium with OpenSSL fallback
- 64-character hex state tokens with format validation on callback
- Per-IP rate limiting on OAuth init and callback endpoints (default 20 req/min)
- Safe redirect validation on
redirect_toparameter - WordPress nonce protection on all admin forms
Audit logs
- Seven event types tracked: attempt, success, failure, token exchange, userinfo fetch, user created, user updated
- Per-event IP address, user agent, error code, error message, and structured metadata
- Configurable retention with automatic daily pruning via WP-Cron
- Searchable admin UI (Pro)
Pro features
- Role mapping from OAuth claim values to WordPress roles
- Custom attribute mapping beyond standard OIDC claims
- Full searchable audit log UI with filtering
- Email support