WooCommerce Social Login 2.0

We’re excited to share WooCommerce Social Login version 2.0 with you this week. This release doesn’t contain tons of new features, but it does have very significant changes to the plugin structure.

Migrating to HybridAuth

The biggest change in version 2.0 is that we’ve migrated to a new authentication library. This changes the way the plugin communicates with social networks to authenticate your customers and retrieve profile information.

While you won’t see any changes at first in the way the plugin works, please note that we recommend making some necessary changes to your social apps for future versions. While the upgrade is 100% backwards compatible, you’ll need to change the callback URLs in some of your social applications for consistency with the new library.

You’ll see a new setting added to reflect this, which is automatically set to “legacy” when you update to version 2.0, and should not be changed until you’ve completed our upgrade guide.

Callback URL setting

So why the change if you’ll have to update your social apps sometime soon? Due to the nature of managing user accounts, security is a huge concern with Social Login. While we routinely perform security audits for plugins (and especially focused on Social Login), when you use any code library, it’s best to use one that’s actively maintained an updated — more eyes watching the code tends to mean more security holes patched.

The library we were using in the plugin (Opauth), isn’t actively maintained any longer, so we wanted to be proactive in switching to a more modern library that’s actively updated and improved.

This also gave us the chance to contribute back to the new library, HybridAuth! We’re proud to have added Amazon as a HybridAuth provider so other developers can leverage Amazon Login within their projects.

While the authentication library replacement is the main update in this release, we’ve also added some other improvements to Social Login, several of which will improve your customers’ experiences.

Updated Login Buttons

The design of our social login buttons was becoming outdated, and some of the logos were also no longer abiding by brand guidelines for providers like Instagram. We’ve refreshed the design of all login buttons and ensured that they each follow branding guidelines from the available providers.

Widget Improvements

Widgets have also become more useful for your customers, and will now show buttons to link an account if a user is already logged in.

When a user is logged out of your site or is a guest visitor, they’ll see the same thing they’ve always seen with widgets: the buttons to log in with a social account.

However, once the user was logged in, these buttons disappeared, but the entire widget was not hidden, which could make for a weird addition to your sidebar. Now when a user is logged in, the buttons change to allow account linking instead.

Improved Twitter / Instagram Login

While customers can disallow sharing email addresses with some networks (like Facebook or VK), other networks don’t ever even provide an email address to our plugin — Twitter and Instagram are the major ones that do not provide email addresses.

As a result, unlinking Twitter or Instagram accounts could result in duplication. This is for security: while we can assume an email address represents a unique person, we can’t assume a Twitter handle or Instagram username represents a unique person, so once unlinked from an account, we could never re-link to it (since we can’t guarantee it’s the same person). (You can read more about this here.)

To combat the issue with missing email addresses, our plugin has asked the user to enter an email address since a very early version by directing the customer to the “update account” form. However, this form showed all fields to the customer:

Old View

Since the password doesn’t need to be modified here at all, we’ve hidden the “Reset password” fields when a customer is prompted for an email while linking Twitter / Instagram.

New View

Finally, we’ve also changed this “please add an email” workflow if the customer is coming from the checkout page. As the strongest benefit to using Social Login is reducing barriers to purchase, directing the customer to the account page to add an email, then back to checkout, adds unnecessary steps.

As the customer must enter an email address to complete checkout, Social Login will opt to keep them on the checkout page when using Twitter or Instagram from the checkout page itself rather than asking for the email outright.

Overall, this release has included some other minor fixes and tweaks since we’ve refactored a large bit of the codebase, but we’re very excited to bring you an improved, more reliable, and more future-proofed Social Login extension. You can purchase Social Login here, or update with an active license shortly!