-
-
Notifications
You must be signed in to change notification settings - Fork 10
Hiding in the frontend or backend
Ever since version 4.8.2 released in late June 2024, all SocialLogin plugins allow you to choose whether to show them only in the frontend of your site, only in the backend of your site, or in both frontend and backend (default). You can change that by editing the corresponding plugin in the sociallogin group and changing its “Login buttons can be shown in” option.
This feature is was introduced with the intent of supporting special uses cases where social login is only desirable on only one side of the site. It is NOT a security feature, as you can read further down below. We'll explain some use cases to help you understand why this feature exists.
Sites without a frontend login. Many company presentation, news, portal etc sites do not have or need a frontend login. No users should be created, nor do any users need to log into the frontend of the site. The site is fully managed through the backend. If your organisation has a Microsoft 365 Business or G Suite subscription it makes sense that you'd want to use SocialLogin to allow your backend users to log in using their existing Microsoft or Google accounts respectively. At the same time, you know that you cannot completely hide Joomla's login page; e.g. accessing the index.php?option=com_users URL on most sites will show the Users component's login page. You don't want the SocialLogin buttons to appear there, confusing anyone who landed there for whatever odd reason. Hence the need to only show the SocialLogin buttons in the backend of the site.
Personalised sites such as forums, community hubs, e-commerce sites, etc. The goal of using SocialLogin with these sites is to reduce the friction of account creation. Instead of having users go through the multi-step Joomla process of registering a user account you can use SocialLogin. At the same time, the small handful of users with backend access is either using password login protected by Multi-factor Authentication, or login with passkeys. You only want to show SocialLogin buttons in the frontend for the benefit of your visitors, but not in the backend login where they are irrelevant and possibly confusing. Hence the need to only show the SocialLogin buttons in the frontend of the site.
If your site has both frontend and backend login pages, you have users who can access both the frontend and backend, and these users' only login method (or, at least, the only method they have noted down) is through SocialLogin then changing the SocialLogin method to only frontend or only backend will lock these users out of the other side of your site.
For example, let's say that you have an Administrator user who only logs into your site with Login with GitHub. If you edit the “Akeeba Social Login - GitHub integration” plugin and set “Login buttons can be shown in” to Frontend then this Administrator user will NOT be able to log into the backend of your site.
Think very hard whether you have a use case like this. If this is the case, you either need to get these users to set up an alternative login method (login with passkeys is the most secure method), or refrain from using the “Login buttons can be shown in” feature in your SocialLogin plugins.
Copyright (C) 2017-2023 Akeeba Ltd.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section "GNU Free Documentation License".