Hi,
I want to replace the nopCommerce login with our own SSO solution using IdentityServer. It looks rather easy to create my own plugin containing my own login logic, like the ExternalAuth.Facebook plugin does. I have 2 concerns though:
1. Is there a way to completely disable the build-in nopCommerce login mechanism (login page + login controller) and force the use of our own login logic? I've read that it is possible to create a custom theme to hide specific pages, but I want to make sure users can only login using our SSO solution.
2. The Facebook plugin calls ExternalAuthorizer.Authorize(), which generates a new passwords and stores it in the database plaintext (see https://www.nopcommerce.com/boards/t/29792/external-authentication-auto-register-password-not-encrypted.aspx). This means that when you enable Facebook login on your page, and your database leaks, the login credentials of users that logged in using Facebook can be misused. If the nopCommerce login cannot be completely disabled, I think this is a major security risk.
Please let me know your thoughts,
Kind regards,
Joost