-
-
Notifications
You must be signed in to change notification settings - Fork 10
Security and Privacy
SocialLogin is designed to be as secure and private as technically possible.
Using SocialLogin to log into a site is a strong form of authentication, built with security in mind.
When a Joomla user account is linked to a social account we store a short identifier provided by the remote end. This is different for every API application and social user account.
When you are logging in there is a three party cross-verification scheme taking place. The remote end verifies the login request it receives from the site server is legitimate. Then, it verifies the social account login of the user. Then, it asks the user for explicit consent (if they have not provided it yet). The user's browser then sends a request back to the site's server with a code. This code is verified with the remote end, and the site's server exchanges it for a short-lived token. This short lived token is sent in a request to the remote end which verifies it and returns a short identifier and other pieces of identification information (name, and email). The identifier is checked against the one we had already stored from the initial linking. Only then the user is logged in.
The third party services SocialLogin integrates with are very secure when it comes to verifying that the social account is logged in as well. They may implement passwordless authentication (passkey, dedicated app, …), multi-factor authentication, etc. They can also decide to perform additional verification based on other signals such as the browser used, geographic signals, behavioural signals etc.
All of that makes SocialLogin logins far more secure than Joomla's password login, and at least as secure as logging in with a passkey.
When SocialLogin displays the login buttons there is no communication whatsoever with the remote service. Not from the frontend of your site (browser), not from the backend of your site (server). The login buttons ARE NOT implemented in JavaScript using the third party's privacy-invasive libraries. They are simple HTML links styled as buttons. Even the icons are stored on your own server for maximum privacy. Information is exchanged with the remote end only when one of these buttons is linked. Therefore, merely displaying the login buttons does not have any effect on your privacy.
The information stored on the site to link a social account with the Joomla! user account CAN NOT be used to retrieve or modify any information on the remote service either. It is merely a simple identifier, and one that is specific to the API application (therefore, the site itself). Two different sites use two different API applications, therefore get two different identifiers for the same social account.
Even you are logging into a site using SocialLogin, you only provide read-only access to very basic information about your user account. The permissions we request are the minimum ones necessary to retrieve a unique identifier, the email, full name, and preferred username (the latter only for the services which support it). The token we receive which makes that possible is NOT stored anywhere; it is only stored in memory for a few seconds, and gets removed immediately after using it to retrieve the aforementioned information from the remote end. Therefore, even if an attacker gets access to the contents of the database of the site they will only have a set of useless identifiers which only apply to that site and carry zero information they could possibly use to identify the social user.
All that said, when you click on a login button to log into a site you do lose something in privacy. The remote end knows that you have linked your user account you keep with them with a specific API application. They also know when you logged into, your IP address, and the domain name of the site you logged into. This is a very minimal set of information. If you are not comfortable sharing even with this minimal set of information you shouldn't be using SocialLogin or, indeed, any third party service.
As noted, merely displaying the social login buttons has no privacy implication. The buttons are just HTML links, they do not use the privacy-invading JavaScript offered by third party providers. Therefore, you do NOT need explicit consent to display the login buttons.
Clicking the buttons does not require consent either. You are not transferring any personally identifiable information (PII). The user's IP is visible to the remote provider but it's not PII because at this point we have not transferred any other identifiable information – remember that the Schrems case verdict was that the IP address is PII only when it's linked to other identifiable information. When the user is transferred to the remote provider they have to provide their explicit consent for their PII to be processed there AND to be transferred back to your site. Therefore, when your site receives their PII they have already provided their explicit consent, and you do NOT need explicit consent for the same thing on your site. However, if you are processing more than just the user's email address and name on your site you MAY need to request explicit consent from the user. You can do so using Joomla's Privacy component, or a third party extension. If unsure, please consult with a lawyer; we are not lawyers, we cannot and do not provide legal advice.
Copyright (C) 2017-2023 Akeeba Ltd.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section "GNU Free Documentation License".