Description
XLogin enhances the WordPress login page (usually wp-login.php) to
allow users to authenticate with the following external services:
- Facebook Login
- Google Sign-In
- Yahoo! OAuth
These services can be enabled or disabled individually. XLogin adds a
button to the WordPress login page for each enabled service. Clicking
the button sends the browser to the corresponding external service
where the user can authorize the WordPress site to access their
information. Having been granted access to, for example, the Facebook
public profile of a user, XLogin retrieves their email address to
find a matching WordPress user to complete the login process.
XLogin also maintains a list of external aliases. They are additional
email addresses for mapping to WordPress users. Some scenarios where
external aliases can be handy include:
-
A user’s email address in his WordPress profile is not used in any
of the external services. For example, a corporate WordPress site
may mandate the use of company email addresses in user
profiles. If a user has for example his Gmail address in the
external alias list, they can still nevertheless sign in Google. -
A WordPress user account is shared by a group of actual
users. With XLogin it is not necessary to have the users share a
single password. Instead just register their email addresses (as
known by the external services) as external aliases; it becomes a
simple matter to add and remove user.
XLogin has the option to restrict an external service to only users with
external aliases. This allows tight control on who can use external
services to login.
A user’s profile in WordPress and in the external service may be
different. Email address is one, and display name (or its component
family and given names) is another. XLogin offers the option to import
the external profile information into the current session. The imported
display name will be tagged with the external service name. For
example, if a user has display name ‘John Doe’ in WordPress, but is
known as ‘Johnny D’ in his Facebook account, then he would be
displayed as ‘Johnny D (Facebook)’ (instead of ‘John Doe’) in his
WordPress session when he logs in with Facebook.
Finally XLogin has the notion of ‘guest’ user. When an email address
provided by an external service does not correspond to a specific
WordPress user, XLogin will proceed with a guest WordPress user
configured for the service. There are plugins that control access to
content based on user roles; a site can combine such with XLogin to
control what is visible to guests. Note that guest WordPress users
should have minimal privileges. XLogin has safeguards to ensure, for
example, that a guest cannot edit posts. It also filters out guest’s
permission to access the dashboard or to update their own profile.
Screenshots
Installation
- Upload the plugin files to the ‘…/wp-content/plugins/xlogin’
directory, or install the plugin through the ‘Plugin’s screen in
WordPress. - Activate the plugin.
- Configure external services for login on the Settings->XLogin page.
- Enter configuration data for the external service. For an
OAuth2 based service, that means client ID and client
secret. Note that the redirect URI for OAuth2 is displayed here. - Set per-service options:
- Restrict to users with external aliases.
- Import profile information (email address and name) from
external service into session.
- Enable external services.
- Enter configuration data for the external service. For an
- Maintain external aliases on the Settings->XLogin page.
- Aliases may be added/updated/deleted one at a time.
- Filters may be applied to the list of aliases displayed.
- Multiple aliases may be uploaded in a CSV file. Each line in the
file contains an email address and a WordPress user name,
separated by comma.
If WordPress permalinks are ‘plain’, one may need to configure the
web server to route callbacks from external service to WordPress
index.php script. For Apache that would mean rewrite rules in
.htaccess like theses:
RewriteEngine On
RewriteRule wp-content/plugins/xlogin/callback/ index.php [L]
FAQ
-
Does this work with WordPress version X?
-
This plugin was originally developed with WordPress 5.3. It has been
tested to various extent up to 5.7. -
Does this work with PHP 5.x?
-
No. This plugin uses various PHP 7.x features. Backporting to PHP 5.x
should not be difficult however. -
How do I obtain client ID and secret to configure an OAuth2 based external service( e.g. Facebook)?
-
Here are some pointers:
-
Google. A project must first be set up. OAuth2 clients are
managed on the API credentials page. Use an existing or
create a new OAuth client, of ‘web application’ type. -
Facebook. An ‘app’ must first be set up. Use the ‘App ID’ and
‘App Secret’ from the its basic settings page for client ID and
secret respectively. Add Facebook Login to the product list of the
app, and configures the redirect URI there. -
Yahoo. A Yahoo app corresponds to an OAuth2 client. Make sure
your app has email and profile permissions for OpenID Connect.
-
-
A user tries to login with Google, but gets sent back to the WordPress login page with a “Google user not recognized” error. What does this mean?
-
XLogin uses the email address provided by Google (or whatever external
service) to map to a WordPress user. Check the following:-
Is the email address registered as an external alias in XLogin?
-
Does email address belong to a WordPress user profile? If so,
make sure the external service is not configured as ‘restricted’.
-
-
Generally XLogin may not know anything about the user until the end of
authentication/authorization with the external service, so it would be
a challenge. -
How does XLogin override the email and display name of a user?
-
This is rather technical, but is important for ongoing maintenance of
the plugin. This answer is intended for PHP developers working with
WordPress.WordPress keeps track of the user of the current request in various PHP
global variables. XLogin installs a callback for theset_current_user
action to inject profile information from external service into them.
The action name and the global data structures may be specific to
WordPress versions; the fileinit.php
and the PHP method
XLogin::importXUser() are expected to be modified to support more
WordPress versions. -
Can XLogin be used for new user registration?
-
This is not supported currently.
-
Can XLogin support other external services?
-
XLogin uses the OAuth 2 Client from The League of
Extraordinary Packages. It should be straightforward to add an
additional OAuth2 based login service as long as a compatible
provider is available. See the list of providers.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“XLogin” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “XLogin” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.2
- Facebook Graph API version may be specified in customization settings.
- Admin page built with Vue.js components that are bundled by webpack.js.
- Miscellaneous bug fixes.
1.1.1
- Miscellaneous bug fixes.
1.1
- Custom message to display with external login buttons.
- Guest user for unmatched email address.
1.0
- First version published.