Github

Today we released a new social login provider on the service, Github. Now websites primarily focused on a developer community can leverage Github as their social login on their site.
Adding Github as your social login provider is as simple as the rest, and as with any other provider you must first generate a Provider Client ID/Secret. To start, open a new browser window and go to https://github.com/settings/applications/new and log in. Enter your application's name, homepage Url and a description, then enter your Stitchz authorization Callback Url, i.e. https://<yourappurl>/Github/v1/Authenticated. Finally click "Register application". Write down the Github generated Client ID and Secret. Figure 1.

Github Application Registration Form
Figure 1 - Github Application Registration Form

If you have already created an application on then log in and go to your Providers settings page, otherwise follow the steps in the blog post to get started. To add a new Social Login Provider click the plus (+) in the right hand corner, then select Github from the drop down list. Enter the Github generated Client ID and Secret into the Stitchz "App Key/ID" and "Secret Token" fields respectively. Click "Save". Figure 2.

Stitchz Github Provider Form
Figure 2 - Stitchz Github Provider Form

Enjoy!
 
 
 

oauth web security

OAuth. It's a word that has gained a lot of publicity in the past eight or nine years, but what is it? If you've ever logged into a website, ahem Stitchz, with your Facebook or Twitter account then you've used it. In one simple sentence OAuth is a safe way to authorize access to a website without sharing your password.

Suppose a website, somefantasticsite.com, has some really good content that you want to read. In order to read the content you must login but you already have dozens of username/password combinations for other websites. In this case, somefantasticsite.com offers visitors the choice to login with their Facebook or Twitter account. Say you choose to log in with Facebook, the website redirects you to facebook.com where Facebook asks you to enter your username and password. The credentials you enter are verified by Facebook and are never shared with the website you're attempting to gain access to. Upon successful authentication, Facebook redirects you back to the originating website with a special one time token. In the background, the website sends the special token back to Facebook for verification and to get a unique short lived access token generated by Facebook. With the access token in hand, the website can have a high level of certainty that you are who you say you are and grant you access to the secured content.

oauth web access token

The OAuth authorization scenario is very similar to using your photo ID or passport when boarding an airplane. The airline requires you to first authenticate with a trusted source, in this case the local government, and then upon inspection authorizes your entry into the airplane or terminal.

At this point you may be thinking, "that's great but how is this more secure than using a username/password?" In the scenario above there is a key step in the process, when you enter your password into facebook.com the credentials are only processed by Facebook. Since Facebook sends the originating website a short lived access token no credentials are ever shared. This means that if the originating website is hacked, no passwords are leaked or compromised.

website security with OAuth

For example, let's say you visit a website you don't expect to return to, but if requires a log in to view some information. You're faced with the decision to create another username/password combination or you log in with your social identity. Since you don't plan on returning you log in with your social identity avoiding having to remember another website username and password.

There are some risks, but probably the most obvious risk is browsing unsecured websites, or websites that lack SSL encryption [1]. While OAuth is relatively safe when implemented correctly, there are ways evil-doers can sniff [2] unsecured web traffic. To mitigate this risk, make sure the login page your using starts with an "https" Url.

Wrap Up

OAuth is a simple and safe way to authorize access to a third party website without sharing your username and password. In place of your username and password combination an authorization server (e.g. Facebook) exchanges a unique token. A secure website using OAuth will have a high level of certainty that you are who you say and you don't have to share your username and password with websites you don't trust.

References:

 
 
 

Drupal

WordPress is the world’s most popular content management system (CMS) used by more than 60 million websites worldwide [1]. It's an open-source CMS written in PHP that is free to install and use with thousands of plug-ins and themes. WordPress started as a pure blogging platform in 2003 but has since evolved into a robust and versitle CMS used by millions. Supported by a large user community and several websites offering free support, getting help is usually quick and a selling point when choosing a CMS.

WordPress' robust plugin framework allows users to customize and extend common functionality to create a unique website experience. This article will explain how to install and activate the Stitchz Social Login WordPress plug-in to integrate social login providers like Facebook or Twitter to your WordPress site. As easy as WordPress is to install and configure so too is the Stitchz Social Login plug-in. Installing the plug-in follows the standard process, with that said, the details of the installation and configuration are covered in this article; for an abbreviated version of these steps check out .

Installation

  1. Log in as an administrator and go to the WordPress Admin console and click "Plugins" in the left navigation menu.
  2. On the Plugins page, at the top, click "Add New". Figure 1.
    Add new Wordpress plugin
    Figure 1.
  3. In the "Search Plugins" field enter "Stitchz" and press Enter.
  4. The first result will be the Stitchz Social Login plugin, click "Install Now". Figure 2.
    Stitchz Social Login plugin search
    Figure 2.
  5. When asked if you really want to install the plugin click "Ok".
  6. After the plugin has finished installing, click "Activate Plugin". Figure 3.
    Stitchz Social Login plugin activating
    Figure 3.
  7. WordPress will show the successful installation at the top of the Plugins page, Figure 4.
    Stitchz Social Login plugin activated
    Figure 4.
    The plugins are sorted alphabetically, scroll down and find the newly installed plugin.
  8. The Stitchz Social Login plugin and all its details will be listed. Figure 5.
    Stitchz Social Login plugin installed
    Figure 5.
  9. Installation and activation is complete, the next step is to configure the plugin.

Configuration

A prerequisite for using the Stitchz Social Login plugin in WordPress is to create an application with the Stitchz service; to create an application go to . When creating an application combine your website's Url with "/stitchz_social_login/auth" (the Stitchz Social Login end point). For example: https://www.YourWebsiteUrl.com/stitchz_social_login/auth

For details on creating an application follow the steps outlined in the previous post .

After the application is setup, begin configuring the WordPress plugin. Some settings from the application are required to properly configure it in the following steps, so keep the settings handy.

  1. First, change the default way WordPress handles web URLs. Login to Wordpress as an Administrator and go to the Wordpress Admin counsel.
  2. Click "Settings > Permalinks".
  3. Under "Common Settings", select any option except "Default", and click "Save Changes". This will modify the .htaccess rewrite rules.
  4. Next, click "Stitchz Login API Settings" in the left navigation menu. Figure 6.
    Stitchz Social Login plugin navigation link
    Figure 6.
  5. Begin configuring the Stitchz Login API Settings, note that each field with (required) is required. Copy the settings from your application into the "App Url", "ApiKey", "AppSecret" and "Redirect Url" fields respectively. Figure 7.

    Stitchz Social Login plugin activating
    Figure 7.

    There are a few things to note about the configuration that may make it simpler. First, the "Return Url" field is the WordPress website's full web Url plus the Stitchz WordPress end point ('/stitchz_social_login/auth'), i.e. https://www.YourWebsiteUrl.com/stitchz_social_login/auth. This value should match the Return Url setup with the Stitchz application.

    Second, the "API Version" field determines how users' authentication requests are sent to Stitchz. The "Standard Login" option is a basic authentication request used to only authenticate a user, nothing else. The "OAuth 2 Login" option sends an OAuth 2.0 authenticated request to Stitchz and returns a valid OAuth 2.0 token that can be used to request further resources without forcing the end user to re-authenticate. Take note that "OAuth 2 Login" requires HTTPS. A future article will cover what requests can be made to the Stitchz API. In the meantime if you're interested check out for info.

  6. After configuring the Stitchz Login API Settings you must sync your configured Social Login Identity Providers from Stitchz. Click the "Sync Providers" button to synchronize the list of providers' setup in the Stitchz application. If all settings are correct a sample login will display with all the configured and active identity providers. Should an error message appear or no sample login is displayed double check the Stitchz Login API Settings and click "Sync Providers" again. If no sample is displayed, continue with the configuration, save all settings, and then check and try again.
  7. The Stitchz Login Addin Settings provides options for where to display the social login form within WordPress and how it will look. Placing a tick in the checkbox "activates" the feature and displays the form on the respective screen. A typical website should activate the first three choices; websites with WordPress commenting turned on should activate all four choices so commenters can login and comment with their social identity.
  8. The "Theme Version" selection changes the way the social login icons look. The current option is "Basic". Additional themes will be included in future updates.
  9. Finally, the "Social Login Notes" field allows the administrator to write a message to all users; up to 255 characters are allowed, with no HTML. The note appears under the social login icons wherever they are displayed. Notes are useful to provide login instructions or share a message.

    See Figure 8 for an example of a complete setup.

    Stitchz Social Login Form
    Figure 8.

Additional Options

As of version 2.5, WordPress introduced shortcodes. "A shortcode is a WordPress-specific code that lets you do nifty things with very little effort. Shortcodes can embed files or create objects that would normally require lots of complicated, ugly code in just one line. Shortcode = shortcut." [2] Stitchz offers a shortcode that can be placed on any page or blog simply by adding [stitchz_social_login_shortcode].

Wrap Up

Nearly everyone has a social media account, just look at the latest total number of Facebook users, over one billion [3]. Why not lower the barrier of entry and provide your visitors a simple, safe means of registration? With more than 20 popular social networks to choose from, customizing the WordPress site experience with Stitchz Social Login is simple.

References: