This article reviews how B2B Commerce processes user and customer security. B2B Commerce uses Identity Server and the OWIN middleware to authenticate requests to the platform. This contains information that shows how the security architecture is applicable in varying scenarios such as site access and calls to the RESTful API's.
- Introduction to B2B Commerce Security
- External Authentication
Introduction to B2B Commerce Security
The Session service has a method called getAccessToken. This provides a bearer access token to use for future requests.
There is custom code in IDS that validates the username, password, and scope which cannot be overridden.
OWIN middleware sits in between the Optimizely API and IIS. It validates all the requests and it is using an Identity Server Token Authentication OWIN middleware that will look for this bearer token in the header and validate it. Once the calls go into IIS it will then process through the OWIN workflows. This is also where the cookie authentication middleware takes place.
Getting a Bearer Token
To get a bearer token in the angular application, call the getAccessToken method on insite.session.service.ts.
Sending Bearer Tokens
Once a token has been given to the client, it is sent with every request to the website. This bearer token is attached to the request by an interceptor. The code that does this can be found in insite.authenticationinterceptor.factory.ts.
Configuration of Appsettings
The following app setting have to be set in the appSettings.config file.
- IdentityServerUrl: The url of the identity server. This defaults to websiteurl/identity
- IdentityServerCertificatePassword: The password for the client certificate.
- IdentityServerSkipUrlValidation: This needs to be set to true if identityserver is disabled.
Identity server uses certificates to sign the authentication tokens. This certificate can be a self-signed certificate and should not be the certificate that's used for website SSL. The signing certificate is set on the IdentityServerOptions using the SigningCertificate property.
Below is a batch command to create a self-signed certificate. The -e parameter sets the expiration date for the certificate.
Once the certificate is installed the on the server, the Personal Information Exchange (.pfx) files has to be exported from the certificate store and stored at the @"~\App_Data\insiteidentity.pfx." Additional information on how to create certificates and export the Personal Information Exchange files can be found at the following link.
B2B Commerce supports Windows, Google, and Facebook login out of the box.
Facebook authentication is enabled by toggling the Allow Sign in with Facebook Account setting to show YES
The credentials to connect to Facebook are stored in the following settings:
- Facebook App ID
- Facebook App Secret
Google authentication is enabled by toggling the Allow Sign in with Google Account setting to show YES
The credentials to connect to Google are stored in the following settings:
- Google Client ID
- Google Client Secret
Windows authentication is enabled by toggling the Allow Sign in with Windows Account setting to show YES
Two additional toggle settings exist to control whether a Windows account can be used to log into the Storefront and/or the Admin Console:
- Use Windows Sign In on Storefront
- Use Windows Sign In on Admin Console
Use the Windows Metadata URL setting to store the address to retrieve WsFederation metadata.
Last updated: Dec 11, 2020