Login with VIPPS creates duplicate users when user changes e-mail address

This is true – the “user key” for Woo/WP is the username and the email; whereas for Vipps is it either the phone number or a hidden ID field. Therefore, if you change your email in Vipps, you will appear as a new user.

In Express Checkout, we don’t yet have access to the hidden ID, so in this we cannot use this to find the “same user”. As you note, using the phone number is a bit of an issue as well because of the missing canonicalization; in addition, there could be issues with the re-use of phone numbers after lapsed subscriptions.

I should note that I actually use this behaviour in the Login app to log in to different accounts using different versions of my email(s) so I don’t see it as a bug myself.

However if Vipps is used as the primary login mechanism, i see that it would be useful to “consolidate” users when the system “knows” they are the same person. Currently, when logging in, the “get_user_by” function is used with email as a key, but this could be parametrized and made switchable (as an option so I can continue my own usage.)

It would be necessary however to be very careful in the implementation to avoid any potential security risks; and it is not currently planned as a future release. Also, since this would entail a change of email on an existing user, error situations must be handled (e.g. that user already existing, WP not accepting the email syntax or similar).

I have added it as an issue to the Github bug tracker: https://github.com/vippsas/vipps-login-wordpress/issues/14

In the mean time, this will have to be handled by merging the two customers, which is a bit fiddly to be sure.

Hi @iverok

Thanks for your answer.

Understand that this can be tricky when VIPPS Express is not providing us with the users “unique ID” from VIPPS.

But when this occur, why don’t we then populate the “Hidden ID” in the WP database with the end-users mobile phone number as the “hidden ID” instead until VIPPS can provide us with the “unique ID” ? That should be fairly easy`?

It is more rare that the enduser changing it’s phone number these days than they do with their e-mail addresses. The phone number is and will be the “second ID” of the VIPPS user even though the user has it unique hidden ID at VIPPS.

What do you think?

• This reply was modified 4 years, 2 months ago by horgster.

The “Vipps Phone Number” is stored and available separately from the “customer phone number” editable by the user, so this is very much possible. The Vipps ID will be available at some point too, which should make this (Phone/Vipps ID as primary ID) completely safe.

Personally I prefer to have the email continue to be the primary key here, but as described on github this can be made as an option at some point.

Hi

I’m following a separate email discussion: It seems there is som misunderstanding, either on my side or somewhere else..

In Vipps the “unique id” is the phone number. We do not have a different id.

The phone number is used both for Vipps Hurtigkasse (express checkout) and “regular” payments. The difference is just a parameter in the same API call. See: https://github.com/vippsas/vipps-ecom-api/blob/master/vipps-ecom-api.md#initiate-payment-flow-api-calls

If users have one phone number registered in Vipps and use a different phone number on on a customer website, the matching can be tricky. I think we may need some more details to understand the problem (or maybe it’s just me)?

Christian, Vipps

• This reply was modified 4 years, 2 months ago by cloveras.
• This reply was modified 4 years, 2 months ago by cloveras.

Unique id: I’m talking about the ‘sub’ field as returned by the Login API.

The Woo plugin stores the Vipps phone number separately from the “Billing Phone number” as defined by Woo, and this field is not user editable.

The only issue with using the phone number as ID is that a user can drop a phone number subscription, after which that number can be assigned to a new user.

I believe the Login and Ecom APIs also still return the phone numbers slightly differently with regards to the country code prefix.

Those are the issues, but it can still be possible to use the “Vipps phone number” as the unique ID for a given installation with some extra code to enable this.

Ah! The sub!

Yes, that’s unique too. ??

https://vippsas.github.io/vipps-login-api/#/Userinfo%20API/userinfoAuthorizationCode

Christian, Vipps

Hi @cloveras

This problem would have been easily solved if “VIPPS Express” and “VIPPS Regular” provides the SUB! Then we don’t need to create an uneceassry workaround that @iverok and I are discussing.

Horgster.

Hi @horgster

“Easily solved” is not as easy, unfortunately.??

We are working (hard!) to make all the different Vipps APIs behave more as one, and we have common API guidelines, etc for new APIs, but changing APIs that are being used by thousands of customers is not trivial.

We still use the phone number (in MSISDN format, preferably) as the unique id in Vipps, but with OIDC we need to conform to that, of course.

Christian, Vipps

Hi @cloveras and @iverok

For us it is important and vital that the primary Identity Provider (IDP) is VIPPS.
We have closed the possibility to manually create users in WordPress for new customers. They must either use “VIPPS Express” or “VIPPS Login” to create an new user.

Therefore it is important for us that we resolve the “duplicate user” problem.

Until the API used in VIPPS Express and VIPPS regular can provide the “SUB” claim token that this provided in the OIDC token from VIPPS login, I think the correct solution is that the end users Phone number must be the “Primary Key” with the WP – VIPPS integration.

It is more rare that the end user changes his / her phone number. If they changes their phone provider, it is more likely that they “port” their number to the new provider.

It is also more likely that end users changes their email address according to preference rather than their phone number.

Changing phone number today in Norway is less going to happen (even if the scenario exist) due to all Multifactor Authentication (MFA) in all public services such’s as BankID, Altinn, VIPPS, OTP in email accounts etc.

Still the scenario that user can change their phone exist and in this case this will be resolved if the users hidden identity (SUB) exist in all VIPPS API’s.

Using the email address as primary key as I see it is not the correct solution for the VIPPS plugins ??

Best Regards
Horgster

I agree that it would be a reasonable new feature, hence the github issue referred to earlier and on which you can also comment.

I believe the phone-number-as-ID is fine as long as the users are aware of the issues involved.

However, for WordPress and Woocommerce, it is the email address which is the users key (for logins, password recovery etc); whereas the phone number in Woo is editable by the user with no further confirmation required.

Therefore this is indeed a new feature which will require some care to implement to ensure this is done safely.

It is currently not possible to implement this using filters and actions; but these will be added too.

Hi

Vipps wtill continue to use the phone number (in MSISDN format, preferably) as the unique id, and e have no plans to introduce another unique id.

It was necessary with OIDC, but the phone number is still what identifies a Vipps user in all our solutions, APIs, etc.

The mapping/connecting of user sin Vipps and other systems may require some extra logic, especially for users that change email addresses or have multiple email addresses.

Even the sub can change, for users that change “f?dselsnummer”.

Christian, Vipps

• This reply was modified 4 years, 2 months ago by cloveras.