Use Login Name instead of Email value

  • Resolved kmgreen

    (@kmgreen)


    7 years, 7 months ago

    Hello,
    Is it possible to switch from validating a user via email value to using the value in user_login column of the WP user table?

    We wish to link users from the WP site to a custom site we are writing. We started using the email value but then I discovered that users can change their email addresses in WP. Since we were storing the email address in the custom system this would break the link between the systems. However since the WP login_name cannot be updated this would make a much better link value but I can not figure out how to have Authorizer work with this value instead of email.

    If there is another solution I am unaware of please share if possible.
    Thanks for your attention to this request
    Kevin

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Paul Ryan

    (@figureone)

    Right now there’s no way to do this. It’s mostly a security issue–the back door into any WordPress account is the reset password link, which is sent to the email address associated with the account. This means that opening the door to linking external accounts on anything other than email runs the risk of account hijacking: if there’s accidental overlap between usernames on WordPress and on the external service, then a user can get logged into the wrong account, change the associated email, and take over the account.

    I’d be open to ideas on how to deal with this, but so far I haven’t been able to come up with a good method. Hope that helps!

    Thread Starter kmgreen

    (@kmgreen)

    Thanks for your reply. Perhaps ours is a special case, we have a closed system. We have a CAS server, a WP server, and various custom application servers. We control the CAS server and services supported (targeted sites/services). We are using the WP server as the authentication repository. (I don’t know if that is the correct term) What I mean is, the CAS server looks up users trying to access our servers/services against the WP database. Plus we turned off regular WP logins via Authorizer so a user must create a WP account prior to being able to obtain access to any of our other custom application servers/services via our CAS server. We have no plans to support any outside systems with our CAS server. We are using Authorizer to handle access to the WP site from CAS and we are using the user’s email address in our custom applications for identification of the users there. Then I discovered that WP users can change their email addresses (I am new to WP) which made our approach a house of cards. If a user changes their email in WP, the linkage to our other systems fails. I investigated WP for a setting which would disallow email updates but that doesn’t make sense because it happens in the real world – (name change, service change, …) Plus being new at WP I wish to keep my instance as vanilla as possible. At this time I learned that WP users cannot change their user names and asked this question.
    My thinking is user name or email address, it is just a string which must be unique to identify a user. I hope this provides better context for my request.
    I believe I understand the security issue you describe in your reply. But since we would be using the WP user names in our “external” systems which WP guarantees to be unique and I believe our CAS server is configured to only go to our sites/services; that issue may be moot. There will be no accidental overlap, it is a deliberate equality we wish to maintain. Anyhow it is hard to say if this use case is wide spread (somehow I doubt it) or how hard it would be to point Authorizer at user name instead of email but unless you ask the question… You know. Thanks again for your attention – Regards Kevin

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Use Login Name instead of Email value’ is closed to new replies.