=== Social Login (Google OAuth) ===
Contributors: snehalpancholi
Tags: google login, social login, oauth, google sign in, login
Requires at least: 6.0
Tested up to: 6.7
Requires PHP: 8.1
Stable tag: 1.0.0
License: GPL-2.0+
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Allow login and registration via Google OAuth 2.0 with account linking and configurable role assignment.

== Description ==

Social Login (Google OAuth) implements the full Google OAuth 2.0 authorisation code flow — entirely server-side — using `wp_remote_post` and `wp_remote_get`. No external PHP libraries are required.

**Security highlights:**

* State parameter with a nonce and transient to prevent CSRF
* All tokens handled server-side — never exposed in the browser
* Account creation validates email verification flag from Google
* HTTPS-only token exchange endpoints
* All user input sanitised and escaped

**Features:**

* "Continue with Google" button on the WordPress login and registration forms
* `[google_login]` shortcode for embedding the button anywhere
* Links Google identity to existing WP users by email (configurable)
* Creates a new WP user with configurable default role on first sign-in
* Custom redirect URL after successful login
* User profile screen shows Google account link status
* Dark mode compatible button style

== Installation ==

1. Upload `social-login-oauth` to `/wp-content/plugins/`
2. Activate through **Plugins > Installed Plugins**
3. Go to **Google Cloud Console** → **APIs & Services** → **Credentials** → **Create OAuth 2.0 Client ID** (Web application type)
4. Under **Authorised Redirect URIs**, add the URI shown in **Settings > Google Login**
5. Copy the Client ID and Client Secret into **Settings > Google Login**
6. Save and test by logging out and clicking **Continue with Google**

== Frequently Asked Questions ==

= What redirect URI should I add in Google Cloud Console? =
The exact URI is shown in the plugin settings page. It looks like `https://yoursite.com/?addlc_slo_callback=google`.

= Does this work on multisite? =
Yes, but the OAuth client in Google Cloud Console must list the redirect URI for each subsite separately.

= What happens if a user with the same email already exists? =
With "Link to Existing Account" enabled (default), the plugin logs them in and stores the Google ID for future logins. With it disabled, a new account is created only if the email doesn't already exist.

= Is the access token stored? =
No. Only the Google user ID (sub) and optional avatar URL are stored in user meta. Access tokens are discarded after fetching the profile.

== Changelog ==

= 1.0.0 =
* Initial release.

== Screenshots ==

1. "Continue with Google" button on the WordPress login form.
2. Settings page with Client ID, Client Secret, and redirect options.
3. User profile screen showing Google account linked status.
