Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

How to implement a guest customized commerce journey using Optimizely OpenIDConnect anonymous flow?


Hello, I am currently working on implementing a guest user journey using grant type anonymous flow. The guest user should be able to add items to his cart and checkout. However, I am facing an issue with the anonymous flow; everytime I request an anonymous token using api/episerver/connect/token/anonymous everything that has been created or added items to the cart with that token won't work on a new one.

I have noticed that my token only lasts for an hour and no refresh token is returned. is there a way to be able to refresh this token or any way to keep the cart data if it expires?

I am open to any suggestions.

Thanks in advance.

               useDevelopmentCertificate: true,
               signingCertificate: null,
               encryptionCertificate: null,
               createSchema: true,
               options =>

                   var application = new OpenIDConnectApplication()
                       ClientId = "postman-client",
                       ClientSecret = "postman",
                       Scopes = {
                   application.RedirectUris.Add(new Uri(""));
                   options.AllowResourceOwnerPasswordFlow = true;
                   options.AllowAnonymousFlow = true;
Edited, Aug 20, 2023 12:11

You can pass it in anonymous_id in the url and it will use that as id when it gets to the token.  You can store the anonymous_id in a cookie and resend when you need to refresh,

Aug 21, 2023 16:20
Taher.elhares - Aug 22, 2023 6:59
Could you please elaborate on this with an example if possible?

Thanks in advance.
 const res = await fetch(`${Config.BASE_URL}api/episerver/connect/token/anonymous`, {
            method: 'POST',
            headers: {
                "Content-Type": "application/x-www-form-urlencoded",
            body: qs.stringify({
                grant_type: "anonymous",
                client_id: "frontend",
                scope: "anonymous_id",
                anonymous_id: "4f6ba206-55df-4e0c-8e4e-6f4192631ee4"
        const data = await res.json();
Aug 22, 2023 14:31
Taher.elhares - Aug 23, 2023 6:45
Thanks, but could you please you tell me how do I get the anonymous_id so that I could send it?
Mark Hall - Aug 23, 2023 23:13
You would need to create an identifier in your JavaScript application and store in cookie to be reused. You can create ID in JS like so
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.