Adding Social Login to Shopify

Question

I wish to add Social Login feature to a Shopify store that I am building. (I'm using the professional plan.)

I explored a few of the available social-login apps on the Shopify App Store. Upon studying closely as to how they actually work - I have come to the following understanding of the general scheme being followed by all of them.

1. The Shopify shop owner sets up a social app (e.g. Facebook app) with their store identity, but configures the Callback-URL/Redirect-URL to one supplied by the App author (i.e. pointing to their infrastructure).
2. Upon successful login by a shop customer on the social platform (via a link/button inserted on the shop login page), the request gets redirected to the App.
3. The App retrieves the user's email address from the their social profile (that they now have access to).
4. They then lookup their own database to see if this is an existing customer. If so they go directly to step 7 below.
5. If it's a new customer, they use Shopify API to create a new 'customer' on the target Shopify store. They set the customer up with a randomly generated password.
6. At the same time they also make an entry of this customer account (email + generated password) in their own database.
7. They then redirect the request back to the Shopify store's login page but this time with the customer's email address (retrieved from social platform) and their password (from the App's own database) included as part of the data that comes back to the users browser as part of loading the login page.
8. Then the App's javascript embedded on the shop login page uses the customer email address and password to programmatically submit the login form - thus establishing a valid customer session on the Shopify shop.

My questions are as follows:

1. Has someone else also looked closely in to this, and thus can validate if my above understanding is correct or not?
2. If it is correct - is this the only way to achieve social login on Shopify (without using Shopify Plus/Enterprise plan)?

I am trying to understand if this indeed is the only way, because I strongly feel that this method is not at all secure. And thus I'd rather not use this method; or if I just have to - then I'd rather write my own (private) app for this so that at least I am in control of the security of the app/database that holds sensitive users credentials.

Would appreciate any help/thoughts I can get with this, please.

Answer 1

If you are rolling your own you probably want to look at Multipass. It would be the thing to use if you can set up another web service that handles the trusted partner registration process.