Social Login
Let bidders sign in with Google, Facebook, or Apple instead of creating a username + password.
Why use it
- Faster sign-up (no email verification step)
- Higher conversion (less friction at registration)
- More accurate user data (verified email from provider)
Trade-off: dependence on the provider — if Google's OAuth breaks, your social-login users can't sign in.
Configure
Auctions → Settings → Integrations → Social Login
| Field | Option key |
|---|---|
| Master enable | wkafw_social_login_enabled |
| Google client ID | wkafw_google_client_id |
| Facebook app ID | wkafw_facebook_app_id |
| Apple client ID | wkafw_apple_client_id |
Google sign-in
- Create a project at console.cloud.google.com
- APIs & Services → Credentials → Create Credentials → OAuth client ID
- Application type: Web application
- Add authorized redirect URI:
https://yoursite.com/wp-login.php?action=wkafw_oauth_callback - Copy the client ID
- Paste into plugin settings
The Google button appears on:
- WP login form
- WP registration form
- Auction-specific bidder signup (custom shortcode)
Facebook sign-in
- Create an app at developers.facebook.com
- Add Facebook Login product
- Settings → Valid OAuth Redirect URIs:
https://yoursite.com/wp-login.php?action=wkafw_oauth_callback - Copy the App ID
- Paste into plugin settings
Apple sign-in
Apple requires more setup — a paid Developer Program membership and JWT-signed credentials.
- Create a Service ID
- Configure return URLs
- Generate a key + private key
- Paste service ID + private key into plugin settings (path or content)
Apple sign-in is mandatory if your iOS app uses Sign in with Apple (App Store rule).
How it works
- User clicks "Sign in with Google" (or other)
- Redirected to provider's OAuth consent screen
- User authorizes
- Provider redirects back with auth code
- Plugin exchanges code for user profile (email, name, ID)
- Existing user with same email? Logs them in directly
- New user? Creates a WP account with the provider's email
- User is logged in; redirected to where they came from
The provider's user ID is stored in user meta — used to re-link on future logins.
What user data is captured
| Provider | Captured |
|---|---|
| email, name, profile picture URL | |
| email, name, profile picture URL, locale | |
| Apple | email (or relay), name |
Apple's privacy relay returns a *@privaterelay.appleid.com email — the plugin handles this transparently. The user receives all auction emails at their relay; Apple forwards to their real address.
Existing user account linking
If a user signs in with Google but their email already has a WP account:
| Behavior | Setting |
|---|---|
| Auto-link (default) | Adds the Google ID to the existing user, logs them in |
| Require password verification | User must confirm with their existing WP password before linking |
| Reject | Refuses sign-in; user must use password |
Configure via wkafw_social_login_link_mode.
Disabling password login
If you want only social login:
Use with extreme caution — admins still need a way in.
Privacy
- Required disclosure in your privacy policy: which providers, what data is collected, how it's used
- GDPR: provider OAuth flow includes a consent screen — users explicitly authorize
- Right-to-be-forgotten: WP user deletion removes plugin meta; provider IDs are not retained beyond that
Common questions
"Can users link multiple providers?"
Yes — once logged in, a user can visit My Account → Security → Connected accounts and link / unlink any supported provider.
"What happens if a user revokes the OAuth grant in their Google account?"
Future sign-in attempts will fail. The user can either re-grant via Google or use password login (if they set one).
"Can I require a phone number for social-login users?"
Yes — gate access to specific surfaces (e.g., bidding) with wkafw_phone_required_for_bidding. Social-signup users will be prompted to add a phone before placing their first bid.