Social Login for Magento 2 — Secure One-Click Sign-In
Social Login lets customers sign in to your Magento 2 store with one click using Google, Facebook, Apple, X (Twitter), LinkedIn, GitHub or Amazon — no new password to invent or forget. It is built security-first: one-time CSRF state nonces, accounts only linked when the provider confirms the em…
The fastest checkout is the one with no password to remember
A surprising share of abandoned carts come down to one thing: account friction. The shopper is ready to buy, hits "create account", and stalls at inventing yet another password. Social Login removes that wall — one tap signs them in with an account they already have and trust. But sign-in is also where stores get breached, so this module is built security-first: it won't hand someone another customer's account just because they typed the right email. It checks, verifies, and protects every step.
What you'll use it for
- Cut account friction — let buyers skip the password step and check out with an identity they already use.
- Lift registrations — more shoppers create an account when it's one tap, which means more repeat customers and marketing reach.
- Offer the right buttons — show Apple on iOS-heavy audiences, LinkedIn for B2B, Google and Facebook for everyone.
- Sign in on a headless store — give a decoupled Astro front end the same one-click login without weakening security.
How a secure sign-in flows
The providers, built in
Enable any combination, set each one's client ID and secret, and order the buttons how you like. First-time sign-in creates the Magento customer account automatically (you can require a real email and send a fallback password), and logged-in customers can link or unlink providers from their account area.
Security built in, not bolted on
This is where sign-in modules usually get it wrong — and where this one is careful. Every login uses a one-time CSRF state nonce bound to the session, so an intercepted link can't be replayed. An account is only ever linked to a social identity when the provider confirms the email is verified — closing the classic account-takeover hole where someone signs up with your email at a provider that never checked it. Client secrets are stored encrypted, the headless token flow only redirects to URLs on your allow-list, and the public provider query returns client IDs only — never a secret.
Specifications
| Providers | Google, Facebook, Apple, X (Twitter), LinkedIn, GitHub, Amazon |
|---|---|
| Accounts | Auto-create on first sign-in; link/unlink from the customer account; optional require-real-email and fallback password |
| CSRF protection | One-time state nonce bound to the session, required on token exchange |
| Anti-takeover | Links only when the provider reports the email as verified |
| Secrets | Client secrets stored encrypted; public query exposes client IDs only |
| Headless | GraphQL state, providers, exchange-token, link and unlink; redirect-URI allow-list and storefront callback |
| Buttons | Per-provider enable and sort order |
| Delivery & licence | Composer install, per-domain licence key, updates via Composer |
Works with
Part of the AgenticEcom suite for Sales, Customers & Marketing:
Pairs with Social Share for a complete social layer and GDPR Pro for consent. Included in the Growth and Enterprise bundles.
Frequently asked questions
Which providers can customers sign in with?
Google, Facebook, Apple, X (Twitter), LinkedIn, GitHub and Amazon. Enable any combination, and order the buttons to suit your audience.
Could someone hijack an account by signing in with another person's email?
No. The module only links a social identity to a Magento account when the provider confirms the email address is verified, which closes the common account-takeover route. Every sign-in also carries a one-time CSRF state nonce that can't be replayed.
Does it create an account automatically?
Yes. The first time someone signs in with a provider, their Magento customer account is created. You can require a real email and send them a fallback password, and existing customers can link a provider to their current account.
Does it work with a headless Astro storefront?
Yes. A GraphQL flow issues a state nonce, returns enabled providers and client IDs, and exchanges the OAuth code for a customer token — only redirecting to URLs on your configured allow-list.
Which Magento and PHP versions are supported?
Magento Open Source 2.4.9 and later 2.4.x, verified on PHP 8.4 and 8.5.