Bearer token authentication

Sitecore uses bearer token authentication for all systems calling the Commerce Engine directly. The caller must connect to the Sitecore Identity server, using Sitecore credentials, to obtain a token. Known clients, such as Commerce Engine Connect, for example, must request a client token. Sitecore uses these authentication tokens as an authorization bearer in request headers.

You must specify the URL of the Sitecore Identity server in the Commerce Engine's config.json file, in the SitecoreIdentityServerUrl parameter.

The Sitecore Identity server provides the following two endpoints for obtaining a token:

  • GetToken (http://{{SitecoreIdentityServerHost}}/connect/token)

    A silent mode that allows you to get a token without having to log in through the UI. This is the used to authenticate requests in Postman, console, and deployment scripts.

  • Authorize (http://{{SitecoreIdentityServerHost}}/connect/authorize)

    Loads the Sitecore Identity login page. Once the user logs in successfully with Sitecore credentials, the user is returned to their website. This is how Sitecore XC Business Tools users are authenticated, for example.

The identity of any system calling the Commerce Engine (for example, Postman, Commerce Business Tools, or Commerce Engine Connect) must be stored in the Sitecore.Commerce.IdentityServer.Host.xml configuration file. The default location of the XML config file is C:\inetpub\wwwroot\<SXAStorefront-IdentityServer>\Config\production\Sitecore.Commerce.IdentityServer.Host.xml.

Configuration example for Postman client authentication

The following shows an example of the default client configuration in the Sitecore Identity server Sitecore.Commerce.IdentityServer.Host.xml file for the Postman client:

<PostmanClient>
    <ClientId>postman-api</ClientId>
    <ClientName>Postman API</ClientName>
    <AccessTokenType>0</AccessTokenType>
    <AllowOfflineAccess>true</AllowOfflineAccess>
    <AlwaysIncludeUserClaimsInIdToken>false</AlwaysIncludeUserClaimsInIdToken>
    <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
    <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
    <AllowAccessTokensViaBrowser>true</AllowAccessTokensViaBrowser>
    <RequireConsent>false</RequireConsent>
    <RequireClientSecret>false</RequireClientSecret>
    <AllowedGrantTypes>
      <AllowedGrantType1>password</AllowedGrantType1>
    </AllowedGrantTypes>
    <RedirectUris>
       <RedirectUri1>{AllowedCorsOrigin}/oauth2/callback</RedirectUri1>
    </RedirectUris>
    <PostLogoutRedirectUris>
       <PostLogoutRedirectUri1>{AllowedCorsOrigin}</PostLogoutRedirectUri1>
       </PostLogoutRedirectUris>
    <AllowedCorsOrigins>
        <AllowedCorsOrigins1>https://www.getpostman.com</AllowedCorsOrigins1>
     </AllowedCorsOrigins>
    <AllowedScopes>
        <AllowedScope1>openid</AllowedScope1>
        <AllowedScope2>EngineAPI</AllowedScope2>
        <AllowedScope3>postman_api</AllowedScope3>
        </AllowedScopes>
     <UpdateAccessTokenClaimsOnRefresh>true</UpdateAccessTokenClaimsOnRefresh>
 </PostmanClient>
    

Configuration example for Business Tools client authentication

The following shows an example of the client configuration in the Sitecore.Commerce.IdentityServer.Host.xml for the Sitecore XC Business Tools:

<Clients>
     <CommerceClient>
       <ClientId>CommerceBusinessTools</ClientId>
       <ClientName>CommerceBusinessTools</ClientName>
       <AccessTokenType>0</AccessTokenType>
       <AllowOfflineAccess>true</AllowOfflineAccess>
       <AlwaysIncludeUserClaimsInIdToken>false</AlwaysIncludeUserClaimsInIdToken>
       <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
       <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
       <AllowAccessTokensViaBrowser>true</AllowAccessTokensViaBrowser>
       <RequireConsent>false</RequireConsent>
       <RequireClientSecret>false</RequireClientSecret>
       <AllowedGrantTypes>
         <AllowedGrantType1>implicit</AllowedGrantType1>
       </AllowedGrantTypes>
       <RedirectUris>
         <RedirectUri1>{AllowedCorsOrigin}</RedirectUri1>
       </RedirectUris>
       <PostLogoutRedirectUris>
         <PostLogoutRedirectUri1>{AllowedCorsOrigin}</PostLogoutRedirectUri1>
       </PostLogoutRedirectUris>
       <AllowedCorsOrigins>                     <AllowedCorsOriginsGroup1>http://localhost:4200|https://localhost:4200|http://localhost:5005|https://localhost:5005</AllowedCorsOriginsGroup1>
       </AllowedCorsOrigins>
       <AllowedScopes>
         <AllowedScope1>openid</AllowedScope1>
         <AllowedScope2>dataEventRecords</AllowedScope2>
         <AllowedScope3>dataeventrecordsscope</AllowedScope3>
         <AllowedScope4>securedFiles</AllowedScope4>
         <AllowedScope5>securedfilesscope</AllowedScope5>
         <AllowedScope6>role</AllowedScope6>
         <AllowedScope7>EngineAPI</AllowedScope7>
       </AllowedScopes>
       <UpdateAccessTokenClaimsOnRefresh>true</UpdateAccessTokenClaimsOnRefresh>
     </CommerceClient>

Configuration example of Commerce Engine Connect client authentication

The following shows an example of the default client configuration in the Sitecore.Commerce.IdentityServer.Host.xml for the Commerce Engine Connect client.

<CommerceEngineConnectClient>
  <ClientId>CommerceEngineConnect</ClientId>
  <ClientName>CommerceEngineConnect</ClientName> 
  <AccessTokenType>0</AccessTokenType>
  <AllowOfflineAccess>true</AllowOfflineAccess>
<AlwaysIncludeUserClaimsInIdToken>false</AlwaysIncludeUserClaimsInIdToken>
  <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
  <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
  <AllowAccessTokensViaBrowser>true</AllowAccessTokensViaBrowser>
  <RequireConsent>false</RequireConsent>
  <RequireClientSecret>true</RequireClientSecret>
  <AllowedGrantTypes>
    <AllowedGrantType1>client_credentials</AllowedGrantType1>
  </AllowedGrantTypes>
  <RedirectUris>
    <RedirectUri1>{AllowedCorsOrigin}/oauth2/callback</RedirectUri1></RedirectUris>
  <PostLogoutRedirectUris>
    <PostLogoutRedirectUri1>{AllowedCorsOrigin}/PostLogoutRedirectUri1>
    </PostLogoutRedirectUris>
  <AllowedCorsOrigins>
    <AllowedCorsOriginsGroup1>HOSTNAME</AllowedCorsOriginsGroup1>
    </AllowedCorsOrigins>
  <AllowedScopes>
    <AllowedScope1>openid</AllowedScope1>
    <AllowedScope2>sitecore.profile</AllowedScope2>
    <AllowedScope3>sitecore.profile.api</AllowedScope3>
    <AllowedScope4>EngineAPI</AllowedScope4>
  </AllowedScopes>
<UpdateAccessTokenClaimsOnRefresh>true</UpdateAccessTokenClaimsOnRefresh>
  <ClientSecrets>
     <ClientSecret1>CLIENTSECRET</ClientSecret1>
  </ClientSecrets>
</CommerceEngineConnectClient