Built-in authorization

Version: 0.4

Sitecore Marketplace apps use a special built-in authorization flow, different from the standard Sitecore authorization patterns. Your app uses built-in authorization if you decided not to use custom authorization custom authorization.

When a Marketplace app makes a request to back-end services such as SitecoreAI APIs, a token exchange occurs. First, the request has the logged-in Sitecore user's token, which contains the user's information and permissions. Then, this token is replaced with a machine token, which has admin rights but does not contain the original user's information and permissions.

This means that the Marketplace app has the identity of the logged-in Sitecore user, but the back-end service doesn't. This has the following effects:

The back-end service associates all actions performed with the Marketplace app, such as queries and mutations, with a generic Marketplace user, not with the logged-in Sitecore user. This affects, for example, Marketplace-related audit logs.
Marketplace app users might be able to perform actions they don't have permission for otherwise. To avoid this, we recommend that you check user permissions directly in your Marketplace app's source code and only allow user actions based on those checks.

Consider an example GraphQL query that retrieves the user's information:

query {
  user(userName: "sitecore\\C0t...") {
    name
    profile {
      name
      fullName
      email
    }
  }
}

This query doesn't return the information of the logged-in Sitecore user. Instead, it contains data for a generic Marketplace user:

{
  "data": {
    "user": {
      "name": "sitecore\\C0t...",
      "profile": {
        "name": "",
        "fullName": "marketplace_dac...",
        "email": ""
      }
    }
  }
}

If you have suggestions for improving this article, let us know!