Adding the Facebook connect to a blog to let users to subscribe with a click can be very important. Many users are on Facebook now and the signup process on a site can be the reason to not register.
Facebook connect let you to authenticate and even add a user to your WordPress blog in few clicks. Here I want to explain how I did it for a site.
That featured is not packaged in a plugin, because it can be left external without load the blog with another plugin. Of course there are some configuration one must edit directly on configuration files.
Introduction to Facebook connect
- Facebook which has the user credentials
- A Facebook app which will be authorized by the user to access to some data and which actually represent on Facebook our blog
- Our blog which needs to register and log in a user.
The Facebook app must be setup to obtain two values, the app id and the app secret, used to communicate with Facebook. How to setup an app to use the Facebook connect is explained, for example, on my Facebook Extension for Newsletter.
Now that we have an app and its keys, here is how and Oauth sequence works:
- The user want to sign up and click a link we provide to start the process. That link will be the URL of our single file Facebook connect project.
- Once called, the connection page sends the user to Facebook, saying: the person I’m sending to you want to connect to my site and the app which will the the intermediate between me and you is this (identified by the app id).
- Facebook checks if the person is already logged in Facebook and if not asks him to log in.
- Once logged in, Facebook checks if the person has already authorized the app to access his data (if nothing of special is specified, the app will get only the already public user details). The important thing is the authorization.
- If the user has not already authorized the app, he will be asked by Facebook for that, otherwise Facebook won’t ask it a second time.
- Facebook redirect the user to the blog (to an specified address – in our case to the same page) adding a special code.
- Our page sees the user to come back, extract the code but actually has not user’s information. To get them, it uses the code and its app secret value and do a server-to-server call to Facebook.
- Facebook gives back the information and the page can create and log in the user.
A server-to-server call is a call made by your blog directly to Facebook to exchange information. Don’t worry about that.
Since we trust the data from Facebook, we can log in the user immediately. Actually, a user sign up to our blog in two clicks.
When a user is created from Facebook, it’s Facebook unique and immutable id is stored. This id lets us to sign in the user if he go through the authentication process but we already have him on our database due to a previous sign up with Facebook.
The connection script
The script is available on my downloads page.
I made that connection script without the use of the Facebook SDK which actually is more complex but contains a lot of more feature. Even if this script was initially used only to explain the process, it is absolutely usable in a blog.
The only requirement is to have the “file_get_contents()” function of PHP enabled to make https calls. Not all providers allow that. If your provider has blocked this feature, remember it that Hostgator has the function enabled and you can eventually move on.
Eventually, if the file_get_contents() cannot be unlocked the script can use the Curl functions (if available, of course).
How to use it
Put the script inside the folder wp-content/extensions and change the wp-config.php to contain the two defines for the Facebook app:
Put on the site, where you want, a link to:
That page will be the entry point to start the Facebook Connect procedure.
User creation problems
This is the hard part and it’s not a technical problem, but a set of decisions we must take about user creation when there are “conflicts”.
If the only source of users is Facebook there are no problem. But the reality is far away than that. So we need to take specific action when, for example, an user sign up with Facebook but we already have a non Facebook user registered with the same email.
Let me to explore all the possibilities.
When a user connects to our blog with Facebook, we get two values from Facebook: his id and his email. We ask explicitly for his email because we want it to communicate with the user. It’s optional to ask for that, but it is reasonable.
Second, we trust this two values from Facebook.
When we already have a user with the same Facebook id
If our database already contains a user with the same Facebook, for sure his is the same person. The email and other data we get from Facebook are update, so we should update our database as well. But what about if the user email has changed and for some reason in our database there is another user with the new email? We’ll see that later (it’s complicated).
We have not a user with that Facebook id
If we have not a user with that id, probably we need to create one. But since we have an email address as well, we should check if that email address is already registered.
Remember, we trust Facebook and the already registered email can be a fake registration. Anyway, fake or not, that already present account can be assigned only to the email owner so we can upgrade the account adding to it the Facebook id.
No one was able to use that account apart the email owner who received the password. So they are the same person.
We have that Facebook id registered but even the email corresponds to an active account
This is the most problematic situation and it can happen when the Facebook user change his email address (owned because verified by Facebook) but the user probably already signed up our blog with that email.
We should merge the two accounts. It’s hard and even if it can done correcting the WordPress database, we cannot know if other plugins have stored relations with both accounts.
A second solution is to deactivate the account with the conflicting email and keep only the Facebook related account. To avoid non unique email in our database, the account with conflicting email can be changed with a fake address and with a new password so no one can use it. A fake address can be a random number (at)fake.tld (so we can search form them easily).
Actually the WordPress database let you to store duplicated email address (even if it cannot be done from the administrative panels). So if you ignore this problem the blog does not stop to work!
My example script, available on downloads page, does not take in account all those possibilities (at least at write moment :-)).