Sign in with Telegram
| 开发者 |
automattic
gmjuhasz manzoorwanijk |
|---|---|
| 更新时间 | 2026年6月2日 17:13 |
| PHP版本: | 8.1 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
- "Sign in with Telegram" button on the standard
wp-login.phpscreen, as a[telegram_signin_button]shortcode anywhere on your site, or as a Block Editor block. - Account linking from the user profile screen — existing WordPress users can connect or disconnect their Telegram account.
- Profile sync — display name and avatar from the user's Telegram profile flow through to the WordPress profile automatically.
- No automatic account merging — a Telegram identity can only attach to an existing WordPress user through an explicit click-to-link action from a logged-in session, so a stranger who happens to share an email address can never take over an account.
- Secure by default — uses the same kind of modern, signed redirect flow that "Sign in with Google" and "Sign in with Apple" use. No shared bot-token secret on your server, no manual key rotation.
- Settings page in wp-admin where you paste the bot's Client ID + Client Secret, pick the default role for new users, and optionally collect the visitor's verified phone number or request permission for your bot to message them directly.
- Browsers with strict third-party-script blocking — Brave with default shields, Firefox Enhanced Tracking Protection on Strict, Safari Lockdown Mode, uBlock Origin filter lists — frequently block the embedded script outright, so the button never renders and visitors have no way to start the flow.
- The widget's authentication hash is an HMAC-SHA256 over your bot token, so anyone who wants to verify a login has to hold a copy of that secret. There's no standard JWT / JWKS story to lean on.
- Key rotation is manual — changing the HMAC key means rotating the bot token in BotFather and updating it on every server that verifies logins.
id_token. No third-party scripts on your pages, no shared bot-token secret with verifiers, automatic key rotation via JWKS. It behaves the same regardless of how privacy-locked-down the visitor's browser is.
安装:
- Install and activate the plugin.
- Open @BotFather in Telegram and launch its mini app from the attachment menu (the paperclip icon in the chat).
- Pick your bot under My bots, then open Login widget. If your bot is still on the legacy widget, click Switch to OpenID Connect Login and confirm.
- Register the callback URL under Redirect URIs —
https://yoursite.com/wp-login.php?action=telegram_signin_callback— and add the matching site origin (https://yoursite.com) to Trusted Origins. HTTPS is required. - Copy the Client ID and Client Secret that BotFather shows you and paste them into Settings → Sign in with Telegram in wp-admin.
- Optionally drop the Telegram Login Button block on your homepage, or add the
[telegram_signin_button]shortcode anywhere you want a sign-in button.
屏幕截图:
常见问题:
Where do I get the Client ID and Client Secret?
Open @BotFather in Telegram and launch its mini app from the attachment menu. Pick your bot under My bots, go to Login widget, and if you haven't already, click Switch to OpenID Connect Login and confirm. BotFather then shows the Client ID and Client Secret and lets you register the Redirect URIs and Trusted Origins your site will use. The Client Secret is not the bot token — they're different values, and the settings page warns you if you paste the wrong one.
Do my visitors need to install anything?
No. Telegram's OpenID Connect provider works through a normal browser redirect — visitors are sent to Telegram's login page, approve the sign-in, and land back on your site. They don't need the Telegram desktop / mobile app open or any browser extension.
Will it work in browsers with strict privacy or tracker blocking?
Yes. The plugin doesn't load any third-party scripts on your pages. Sign-in happens through a server-side redirect, the same way "Sign in with Google" or other OpenID Connect integrations do. Browsers that block telegram.org's Login Widget script (Brave on default shields, Firefox ETP on Strict, Safari with Lockdown Mode, etc.) handle this flow fine.
How does this handle email addresses?
Telegram's OIDC provider doesn't supply an email claim, so the plugin creates new users without an email by default. Settings let you instead require a synthetic placeholder email (so password recovery still nominally works), or block sign-ups entirely and only allow existing WordPress users to connect their Telegram account from the profile screen.
Is my visitor's password ever sent to Telegram?
No. The plugin doesn't touch WordPress passwords. Sign-in happens entirely through Telegram's authentication system; your WordPress site receives a signed token verifying that the user is who they say they are.
Where can I find the source code?
The plugin is developed in the open at github.com/Automattic/sign-in-with-telegram. The repository contains the full TypeScript source for the React-based settings UI and the Block Editor block, the build tooling (npm scripts driving @wordpress/build), and the test suite. Issues and pull requests are welcome.
Where is the user's phone number stored?
When the phone scope is granted, Telegram returns the phone number as a claim in the signed id_token. The plugin stores that value in its own usermeta key — telegram_signin_phone. Read the verified value via Automattic\Telegram\SignIn\Phone::for_user( $user_id ), and hook the telegram_signin_phone filter to redact or normalize it. Site authors on WooCommerce can surface the verified value as the customer's billing phone by hooking woocommerce_customer_get_billing_phone.
更新日志:
- Ship block.json so the editor block registers on wp.org installs.