Peptide Critic SSO — Vendor Onboarding
Use this guide if your site is login-gated (visitors must register/sign in before browsing or buying) and you want PeptideCritic-referred users to land on your site already signed in, instead of bouncing off your login wall.
This is optional. Vendors that don't gate access don't need this. Existing affiliate-tracking links keep working unchanged — single sign-on is layered on top.
What you'll get
When a logged-in PeptideCritic user clicks an affiliate link to your site:
- They see a brief "Connecting you to your store…" screen on PeptideCritic.
- We share their email and username with your site over TLS, server-to-server.
- Your WordPress plugin matches them to an existing account by email, or creates one automatically.
- They land on your site, already logged in, with our affiliate ref attached.
The user only sees the consent screen once per vendor — every subsequent click is silent, instant SSO.
What you need
- WordPress site (WooCommerce sites work — no extra setup needed)
- Free plugin: OpenID Connect Generic by daggerhart, version 3.11.3 or newer — wordpress.org/plugins/daggerhart-openid-connect-generic
- WP permalinks set to Post name (or any non-Plain setting). Plain permalinks break the OAuth callback URL.
- HTTPS on your site (required by OAuth)
- About 5 minutes to install + paste credentials
No custom code on your end. Just one off-the-shelf plugin from the WordPress.org directory.
Setup steps
Install the plugin
In WP admin → Plugins → Add New, search "OpenID Connect Generic" by Jonathan Daggerhart + Tim Nolte. Install and activate. Verify version is 3.11.3 or later — earlier versions had security issues that are now patched.
Configure the plugin
In WP admin → Settings → OpenID Connect Generic, paste these values:
| Field | Value |
|---|---|
| Login Type | Auto Login - SSO |
| Client ID | (we'll send) |
| Client Secret Key | (we'll send) |
| OpenID Scope | openid email profile offline_access |
| Login Endpoint URL | https://peptidecritic.com/oauth/authorize |
| Userinfo Endpoint URL | https://peptidecritic.com/oauth/userinfo |
| Token Validation Endpoint URL | https://peptidecritic.com/oauth/token |
| End Session Endpoint URL | (leave blank) — see Logout behavior |
| JWKS URI | (leave blank — see Security note) |
| Issuer | https://peptidecritic.com |
Then under Other Options:
| Field | Value |
|---|---|
| Identity Key | preferred_username |
| Nickname Key | preferred_username |
| Email Formatting | {email} |
| Display Name Formatting | {name} |
| Identify with User Name | OFF |
| Link Existing Users | ON |
| Create user if does not exist | ON |
| Redirect Back to Origin Page | OFF |
| Redirect to login screen when session expires | OFF |
| Redirect on Logout | OFF — keep PeptideCritic session alive when user logs out of your site |
| Enable Refresh Token | ON |
| Disable SSL Verify | NEVER ON |
| Allow Internal IDP | OFF |
| Enforce Privacy | OFF (unless you want the entire site gated) |
| Alternate Redirect URI | ON |
| HTTP Request Timeout | 15 seconds (default of 5 is too tight) |
Tell us you're ready to test
Email [email protected] with:
- Your site's domain (so we can verify the redirect URI matches)
- Confirmation the plugin is installed and configured
We'll enable SSO on our side and run an end-to-end test together — typically about five minutes.
Logout behavior
When a user clicks Log out on your site, only their session on your site ends — they remain signed in on PeptideCritic. PeptideCritic and your site are independent sessions that happen to share an identity provider, like "Sign in with Google" on two unrelated apps.
If you want logout on your site to also end the PeptideCritic session (unusual), set the End Session Endpoint URL to https://peptidecritic.com/oauth/logout and Redirect on Logout to ON. Most vendors leave both off.
WooCommerce sites
WooCommerce works without any additional setup. The OIDC sign-in sets the standard WordPress auth cookies, which WooCommerce reads natively. Users see their cart, account page, checkout flow, and order history just as they would after any normal WP login. The "My Account" gate at /my-account/ works correctly: a logged-out user hitting it gets sent through /wp-login.php, which auto-redirects to PeptideCritic, which sends them back signed in.
Your existing age & research-use gates still work
OIDC sign-in does not bypass any gate you currently have on your site. If you require visitors to confirm "I'm 21+" or "for research use only" before checkout or browsing, that gate still fires. It just fires after the user is signed in instead of at the login wall.
What gets shared
For every affiliate-link sign-in, the user agrees to share with you:
- Their email address
- Their PeptideCritic username
- A stable subject identifier (used for linking accounts on your side)
We don't share their address, billing details, IP address, or browsing history. The user is shown an explicit consent screen the first time they click a link to your site, naming the data being shared and pointing to your terms/privacy.
Security note: why JWKS URI is left blank
Our IdP signs id_tokens with RS256, but the daggerhart plugin's signature-verification path requires a kid in the JWKS that doesn't match what our IdP library emits today. With JWKS URI left blank, the plugin verifies users via the userinfo endpoint instead — your server makes a TLS-protected request to /oauth/userinfo with the access token, and we return JSON identifying the user.
This is a standard OIDC pattern (sometimes called "introspection mode"). HTTPS + client_secret + the state parameter prevent forged tokens. Once upstream adds kid support to the JWKS response, we'll let you know so you can paste in the JWKS URI and re-enable JWT verification.
Troubleshooting
"Invalid state" error after sign-in
Login Type is set to "OpenID Connect button on login form" instead of "Auto Login - SSO". Switch it to Auto Login.
"User claim incomplete" error
Confirm the OpenID Scope field reads exactly openid email profile offline_access. If it does and the error persists, email us — this can also indicate a server-side claim mapping issue we'll need to fix on our end.
"cURL error 28: Resolving timed out"
Your site's HTTP request to peptidecritic.com/oauth/token timed out. Increase HTTP Request Timeout in plugin settings to 15 seconds. If it persists, your host's outbound DNS may need investigation.
Sign-in succeeds but user lands at /wp-admin
That's the plugin's default for sign-ins triggered from the login form. For SSO from PeptideCritic, users land on your site home page (not wp-admin). If your home page redirects logged-in users to a specific area, that takes precedence — fine.
Sign-in succeeds but user lands at the wrong page
We pass the originally-clicked deep-link path as the post-login redirect target. The daggerhart plugin honors it via WordPress's standard wp_validate_redirect(), which only allows on-host paths (defends against open-redirect attacks). If you've installed a redirect plugin or theme code that overrides login_redirect, that may take precedence.
Contact
Integration & security questions: [email protected]