WordPress Social Login bypasses Clef (kind of) #129
Comments
|
The goal here is to force authors and up to use Clef, but allow regular users and guest contributors to simply pass through OAuth2. Clef is almost perfect for this. It allows me to leave social login open for standard interaction, but not risk someone accessing the WP admin because an author or editor left Facebook logged in on a different tab. To clarify, Clef does block the administrative user from logging in so the goal is achieved. The social authentication verifies the address, passes the user through to the home page, and displays the administrative toolbar. Once the apparently logged in admin clicks another link, Clef goes "Nope, no active session" and bounces them silently back to the login screen. Effective, but really confusing from a UX point of view. I would suggest that the right way to handle this is to error trap the login and display the Clef login modal, perhaps with a bit of explanation that "extra security has been added to this account", so we're able to inform the user without confirming that they've hit a high-value account. |
|
Do we need to make a language switch in our plugin settings if we actually do a full disable here? Right now it just says "Disable passwords," but this would be more like "disable all non-clef logins." |
|
That's probably a good idea, but it's not really what I'm after. If you want to do a screen share I can show you the behavior. Basically, Clef is doing the right thing, but it's causing a silent fail if a Clef-enabled account tries to click the social login buttin (intended for fast authentication on regular accounts)
|
|
Oh yeah, that's for sure a bug — I just wanted to raise that as an issue as well :) |
|
Oh ok, I see you're extending the topic :) |
|
I'm not able to replicate this behavior. I have WordPress Social Login installed, passwords Disabled for Editors and up, and an admin account that uses Facebook. When I log in with Facebook, I'm logged in and never booted. Is this the correct setup? |
|
Technically, I logged in through Google because my FB account was tied to a I can get you on to have a look at the site later if you like. I need to It seems to me that social logging bypassing Clef is also a problem, if On Fri, May 2, 2014 at 10:39 AM, Jesse Pollak notifications@github.comwrote:
|
|
Yeah, that's why I was getting at the wording earlier. Technically, with our current language, enabling that setting only blocks passwords, so the "correct" functionality would be to actually let users log in with social logins. |
|
Hmm. Whereas I'm looking for an override. Admins + social login = recipe
|
|
Getting access to that site would be really useful. |
WordPress Social Login lets you log into the dashboard even if passwords are disabled globally. However, when you actually try to perform an action on the dashboard, you're booted back to the login screen. Not sure if this is a bug with WordPress Social Login or an interaction with Clef.
The text was updated successfully, but these errors were encountered: