Sitecore Experience Commerce

Bearer token authentication

Bearer token authentication is used for systems calling the Commerce Engine directly, without going through CE Connect. The caller must connect to the Sitecore Identity Server, using Sitecore credentials, to obtain a token. That token is used as an authorization bearer in request headers.

The URL of the Sitecore Identity Server must be specified in the Commerce Engine's config.json file, in the SitecoreIdentityServerUrl parameter.

The Sitecore Identity Server provides two endpoints for obtaining a token:

  • GetToken (http://{{SitecoreIdServerHost}}/connect/token):

    A silent mode that allows you to get a token without having to log in through the UI. Used by Postman, Console, and Deployment scripts.

  • Authorize (http://{{SitecoreIdServerHost}}/connect/authorize):

    Loads the Sitecore Identity Server login page. Once the user logs in successfully with Sitecore credentials, the user is returned to their website. Used by the Commerce Business Tools.

The identity of any system calling the Commerce Engine (e.g., Postman, Commerce Business Tools) must be stored in Sitecore Identity Server’s configuration file.

The following is a sample of the client configuration in the Sitecore Identity Server’s appSettings.json file for the Postman client:

"Clients": [
      {
        "ClientId": "postman-api",
        "ClientName": "Postman API",
        "AccessTokenType": 0,
        "AccessTokenLifetimeInSeconds": 3600,
        "IdentityTokenLifetimeInSeconds": 3600,
        "AllowAccessTokensViaBrowser": true,
        "RequireConsent": false,
        "RequireClientSecret": false,
        "AllowedGrantTypes": [
          "password"
        ],
        "RedirectUris": [
          "https://www.getpostman.com/oauth2/callback"
        ],
        "PostLogoutRedirectUris": [
          "https://www.getpostman.com"
        ],
        "AllowedCorsOrigins": [
          "https://www.getpostman.com"
        ],
        "AllowedScopes": [
          "openid",
          "dataEventRecords",
          "dataeventrecordsscope",
          "securedFiles",
          "securedfilesscope",
          "role",
          "EngineAPI",
          "postman_api"
        ]
      }
    ]

The following is a sample of the client configuration in the Sitecore Identity Server’s appSettings.json file for the Commerce Business Tools:

"Clients": [
      {
        "ClientId": "CommerceBusinessTools",
        "ClientName": "CommerceBusinessTools",
        "AccessTokenType": 0,
        "AccessTokenLifetimeInSeconds": 3600,
        "IdentityTokenLifetimeInSeconds": 3600,
        "AllowAccessTokensViaBrowser": true,
        "RequireConsent": false,
        "RequireClientSecret": false,
        "AllowedGrantTypes": [
          "implicit"
        ],
        "RedirectUris": [
          "http://localhost:4200",
          "http://localhost:4200/?"
        ],
        "PostLogoutRedirectUris": [
          "http://localhost:4200",
          "http://localhost:4200/?"
        ],
        "AllowedCorsOrigins": [
          "http://localhost:4200/",
          "http://localhost:4200"
        ],
        "AllowedScopes": [
          "openid",
          "dataEventRecords",
          "dataeventrecordsscope",
          "securedFiles",
          "securedfilesscope",
          "role",
          "EngineAPI"
        ]