Implementing Smart ID CMS plugin

Smart-ID is perfect solution to CMS-es like WordPress, Drupal and similar. Plugin can be installed with a few clicks and immediatly support for secure identification methods is available.

One such plugin is built for wordpress and its source code is available at WordPress Subversion repository at

There are 2 different functions needed for making useful plugin. First step is registering Oauth credentials and second step is Oauth user identification.

Step 1.1 – Oauth 2.0 credentials registration

First part of Oauth credentials registration is redirecting the CMS admin to with 4 following URL GET parameters. On this page the CMS admin is identified and domain is associated to this person. Later this person can continue to manage his account on

  • api_register=yes – This is always like this.
  • api_redirect_uri – Contains Oauth redirect_uri value value where users will be redirected from Oauth authorization page later. This url must handle processing of the authorization code, getting user data, creating user and logging user in.
  • api_home_url –  Landing page of the site that is starting to use the Smart ID service.
  • api_redirect_back – Url where to redirect back after Oauth credentials are saved. This URL must request the Oauth client_id and secret as the next step using URL GET parameter data_key.

Full URL looks like

Step 1.2 – Retrieving client_id and secret

Second part of the Oauth 2.0 credentials process is getting and saving the Oauth client_id and secret credentials. URL where the request is sent is where data_key value is received from previous step. This call must be taken immediately after the previous step as window for getting the credentials is open only a few seconds due security reasons. Also the data_key is only one time usage.

As a backup the CMS admin can manually copy his Oauth credentials from Smart ID admin site

Step 2 – Identifying users 

Once Oauth credetials are securely saved in CMS config or database then it is possible to start identifying users via regular Oauth 2.0 protocol. In short this contains 3 steps.

  • Redirecting users to Smart ID Oauth authorize page to get authorization key
  • Exchanging authorization code to access_token with Oauth secret
  • Getting user data via the API.

This process is described in more detail in There are many readymade Oauth 2 libraries in every programming language that make implementing it a breeze. If no readymade libary is used then these a few API calls is fairly easy to be implemented as a custom solution as well.