All SocialLogin does when you are logging in with Google is to access Google's OAuth2 URL and say "this is my application ID, ask the user if they want to log in".
If the user successfully logs in, Google says "here's a code; you can redeem it with a temporary access token".
SocialLogin takes that code and, now through the server, sends a request to a different Google OAuth2 endpoint which exchanges the code with a temporary access token.
Then, it uses this access token to access a third endpoint, again through the server, which gives us the user's name and email address.
At this point we check if there is a user with this email address in Joomla:
- No user exists, user creation not allowed: an error is printed.
- No user exists, user creation is allowed: a user is created, marked as a SocialLogin-enabled user for login with Google, and is logged in.
- The user exists, they are not marked as a SocialLogin-enabled user for login with Google, and login of non previously verified users is disabled: an error is printed.
- The user exists, they are not marked as a SocialLogin-enabled user for login with Google, but login of non previously verified users is enabled: the user is marked as a SocialLogin-enabled user for login with Google, and is logged in
- The user exists, they are marked as a SocialLogin-enabled user for login with Google: the user is logged in
All we save is an ID Google gives us.
As you can see, WE HAVE ABSOLUTELY NO CONTROL WHATSOEVER ON HOW GOOGLE AUTHENTICATES THE USER. This is between Google and the user.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!