WPWEB Documentation

How EDD Social Login Works

“EDD Social Login” Documentation by “WPWeb”
Relevant Links
 
Purchase Changelog
  1. Documentation
  2. EDD Social Login
  3. How EDD Social Login Works

Overview

EDD Social Login takes a few steps during its login process to keep your customer accounts in sync with social accounts. It's helpful to know what steps it takes to link and create customer accounts to understand where certain issues can arise.

Here are the steps EDD Social Login takes to link or create customer accounts on your site:

  1. First, EDD Social Login will try to identify customer based on the social identifier. This is basically a check to see if this social account has been used on the site before.
    If a user has already linked this social account to their account on your site, this step will successfully log them in. This primary check lets your users unlink accounts, then re-link them to the existing WordPress user account to maintain their history on your site.
    For example, a customer could unlink a Facebook account from your site, then try to log in with that Facebook account at a later date. Instead of creating a new account, this will re-link Facebook to the existing account since they have been linked in the past. This does not work with Twitter or Instagram (see details below).

  2. If a user account is not found in step 1, this means that the social profile has not been used before, EDD Social Login will then try to search for the user via the email address provided by the social profile to see if the customer already has an account on your site.
    If the user is using the same email address for both the shop account and the social profile, this step with automatically link their social profile with their WordPress user account and successfully log the user in.
    Note that Twitter and Instagram are exceptions, as they do not provide an email address.
    Without an email address, EDD Social Login will not be able to successfully look up a preexisting account.
    Note that site accounts that use another role (aside from customer) will not work this way for security. See below.

  3. If a user is already logged into your site when they try to link an account, EDD Social Login will do a couple more checks:

    • If the user account found in the previous two steps does not match the logged-in user, the process will terminate with an error: "This {Provider} account is already linked to another user account."
    • If no user was found in the previous two steps, then the social profile will be linked to currently logged in customer's account for the future, as this means its a new social profile that no one else has used.

  4. Finally, if no user was found in the previous steps, a new customer account will be created.

Twitter and Instagram

You should be aware that Twitter and Instagram don't return an email address when the user logs in, so their WordPress account isn't tied to an email (just a username). While we can reasonably assume an email gives us a unique person, we can't make that assumption about a username, as the user can just enter whatever they want for a username on these networks.

This means that unlinking an account from Twitter or Instagram and then trying to log back in again will not link to the previous account. Instead, we create a new account for security to ensure we don't link two different people's accounts since we have no email address to work from.

Automatic Account Linking

If a customer has an account on your site, and "logs in" with a social account that uses the same email address, they will be linked automatically and the customer will sign into his / her site account.

Other user accounts, such as admin or shop manager accounts, will not allow automatic linking of a social network by email address if you're logged out. This is by design for security. Some of the newer networks we've added (or ones we may add in the future) may not validate email addresses before allowing a social sign in, so we need to protect your website from someone spoofing your account to gain access. Here's an example:

  1. Some sites send transactional / notification emails from the address used for an admin account
  2. Someone can create a social account using this email (they'll know it by receiving your site emails) with a network you allow login with, but do not have an account with that uses this email
  3. If we automatically allow linking, this person can then "log in" to your site, automatically linking with your site account that uses the same email

There's a very low risk of this happening, as you'd have to have a specific set of conditions for this to occur:

  • a site admin user's email would have to be used for sent site emails (or the admin user's email would need to be known to the person trying to spoof this)
  • this admin user's email would not have a social account with a network that (1) you allow login with, that (2) doesn't validate email addresses before allowing sign in (which is rare)
  • you'd still get the sign up notification email from the network and potentially be able to block this by invalidating the account before it's used on your site

Even though this is low risk, we can't allow automatic linking for accounts with this level of site permission, so this will never work for your own account as a site administrator (unless you choose to filter which roles allow automatic linking at your own risk). You must log in and then link new accounts (whether they use the same email or not) via "My Account" for any account that has site permissions greater than a customer.

With that said, remember your customers can automatically link by email address since they have low permissions with the "customer" role, and there's extremely low risk in allowing this behavior (we're trying to balance risk with convenience for your customers).

Copyright © , WPWeb.