wordpress: Wordpress user creation with duplicate emails

This issue should probably begin as a question and then move to a potential improvement in the plugin and/or documentation.

Background

I have a situation that involves supporting the same user logging in with two different social providers with the same email address. The user here is the same person, but because they are using two different social providers, there are two “users” in Auth0 for that person.

When that user logs in to Wordpress with social connection A for the first time, everything works in this plugin as expected. However, when they log in to the same Wordpress site with social connection B for the first time, this plugin attempts to create a new Wordpress user. Is that intended behavior?

The logic for this looks like it rests in the LoginManager class.

So my question is: do I understand this correctly? The user is authenticated with Auth0, and then this class looks to see if it has seen that Auth0 user before by searching the Wordpress database for users with the same Auth0 user_id. If it doesn’t find a user in that database, then it tries to create a new user in Wordpress.

Question/Proposal

If this is correct, I think that it merits a revisit. Even if the functionality in the class stays the same, I think it’s important to put guards in place to make sure that the plugin does have permission to create new users. If this method is invoked in this path, then it doesn’t matter if I’ve turned off ‘disable new signups’ in Wordpress, this plugin will still try to create a user.

To sum up:

  1. This plugin should never attempt to create users if:
    • I’ve disabled signups in Wordpress.
    • The plugin tells me that new signups are disabled.
  2. This plugin should perform some enhanced investigation to pair existing Wordpress users with an authenticated Auth0 user, regardless of the Auth0 user_id.
  3. This plugin would be enhanced with some messaging to users within the lock widget when signups have been disabled but the user is able to authenticate with Auth0.

Related

  • #4 (Re: Should the plugin provision users that exist in Auth0?)
  • #107 (Re: Should the plugin check the Wordpress database for users?)
  • #12 (Re: The nature of “could not create user” messages)
    • Specifically, the plugin already tells us that it cannot create a user because another user already has that email address. But if the functionality of the plugin changes, then there is a flow where a user will authenticate properly with Auth0 and no new account creation will take place in Wordpress. I think there are good arguments for making this part of Lock itself: the equivalent of saying to a user “I’m sorry, you do not have a Wordpress account for this site, etc.”
  • #5 (Re: Updating the behavior of Lock based on plugin configuration options)

Versions

Wordpress: 4.5.3 Plugin: 3.1.3

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 33 (13 by maintainers)

Most upvoted comments

@xtianjohns I think this should be enough for allowing to override the user (auth0 to wp) matching https://github.com/auth0/wp-auth0/commit/57970e7ef49d49337cee07b1ca95f3cb573e3818

by default the plugin will override the user meta with the profile it got from the last login, and later you can do whatever you want in the auth0_user_login action hook.

+1
glena on Jun 30, 2016

PRs are always welcome 😃

I do think we’re having a miscommunication about Wordpress and linking, though. I’m not suggesting any feature that involves two Wordpress users. I’m suggesting that the lookup be expanded from pairing Auth0 to Wordpress via an Auth0 user_id to include the email address. That’s all.

The first lookup is being done using the email. Once it found the user, it sets the user_id, otherwise you will end up having multiple auth0 users per wordpress user. The idea to get over that is to link users on the auth0 side. Maybe a filter/action would work to let you override this behaviour. Anyway, the issue will be how is the auth0 profile stored later in the wordpress database. Right now the plugin expects to have one auth0 profile in the user meta for those wp users with a linked auth0 profile and this will be overriden on each login if a user uses two different connections to access to your wordpress (lets say email/password and facebook).

then I don’t know why the plugin can’t treat both as the same Wordpress user (the user that shares the email address).

the thing is that it is an assumption I am not confortable taking. On early versions they plugin worked that way, but we find a lot of pushback trying to move on with new features. Also, if diferent auth0 users should be treated as the same one, makes more sense to link them together into the same user at auth0 users.

Help me think a way to get over this restriction with a hook. This way we can provide a customisable experience instead of guiding us with assumptions where there will be always a use case that does not match.

I am thinking on 2 hooks. One to do the user matching (by default it will be done by user_id, but you can override it to do it by email). The other is to update the auth0 profile in the user meta (by default will update it on each login with the profile it gets from the user that logged in, in this case, you might want to create another meta that stores an array of profiles or something like this)

+1
glena on Jun 29, 2016
Read more comments on GitHub
← wordpress: SSO login failing when not using implicit flow
wt-cli: Getting error "Supplied code must return or export a function." on new deployments →