Bearer token authentication

Current version: 9.1

Sitecore uses bearer token authentication for systems calling the Commerce Engine directly, without going through CE Connect. The caller must connect to the Sitecore Identity Server, using Sitecore credentials, to obtain a token. Sitecore uses that token as an authorization bearer in request headers.

You must specify the URL of the Sitecore Identity server in the Commerce Engine's config.json file, in the SitecoreIdentityServerUrl parameter.

The Sitecore Identity server provides the following two endpoints for obtaining a token:

  • GetToken (http://{{SitecoreIdentityServerHost}}/connect/token)

    A silent mode that allows you to get a token without having to log in through the UI. Used by Postman, Console, and Deployment scripts.

  • Authorize (http://{{SitecoreIdentityServerHost}}/connect/authorize)

    Loads the Sitecore Identity Server login page. Once the user logs in successfully with Sitecore credentials, the user is returned to their website. Used by the Commerce Business Tools.

The identity of any system calling the Commerce Engine (for example, Postman, Commerce Business Tools) must be stored in the Sitecore.Commerce.IdentityServer.Host.xml configuration file. The default location of the XML config file is C:\inetpub\wwwroot\<SXAStorefront-IdentityServer>\Config\production\Sitecore.Commerce.IdentityServer.Host.xml.

The following is an sample of the client configuration in the Sitecore Identity Server’s Sitecore.Commerce.IdentityServer.Host.xml file for the Postman client:

RequestResponse
<PostmanClient>
    <ClientId>postman-api</ClientId>
    <ClientName>Postman API</ClientName>
    <AccessTokenType>0</AccessTokenType>
    <AllowOfflineAccess>true</AllowOfflineAccess>
    <AlwaysIncludeUserClaimsInIdToken>false</AlwaysIncludeUserClaimsInIdToken>
    <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
    <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
    <AllowAccessTokensViaBrowser>true</AllowAccessTokensViaBrowser>
    <RequireConsent>false</RequireConsent>
    <RequireClientSecret>false</RequireClientSecret>
    <AllowedGrantTypes>
      <AllowedGrantType1>password</AllowedGrantType1>
    </AllowedGrantTypes>
    <RedirectUris>
       <RedirectUri1>{AllowedCorsOrigin}/oauth2/callback</RedirectUri1>
    </RedirectUris>
    <PostLogoutRedirectUris>
       <PostLogoutRedirectUri1>{AllowedCorsOrigin}</PostLogoutRedirectUri1>
       </PostLogoutRedirectUris>
    <AllowedCorsOrigins>
        <AllowedCorsOrigins1>https://www.getpostman.com</AllowedCorsOrigins1>
     </AllowedCorsOrigins>
    <AllowedScopes>
        <AllowedScope1>openid</AllowedScope1>
        <AllowedScope2>EngineAPI</AllowedScope2>
        <AllowedScope3>postman_api</AllowedScope3>
        </AllowedScopes>
     <UpdateAccessTokenClaimsOnRefresh>true</UpdateAccessTokenClaimsOnRefresh>
 </PostmanClient>
    

The following is a sample of the client configuration in the Sitecore.Commerce.IdentityServer.Host.xml for the Commerce Business Tools:

RequestResponse
<Clients>
     <CommerceClient>
       <ClientId>CommerceBusinessTools</ClientId>
       <ClientName>CommerceBusinessTools</ClientName>
       <AccessTokenType>0</AccessTokenType>
       <AllowOfflineAccess>true</AllowOfflineAccess>
       <AlwaysIncludeUserClaimsInIdToken>false</AlwaysIncludeUserClaimsInIdToken>
       <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
       <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
       <AllowAccessTokensViaBrowser>true</AllowAccessTokensViaBrowser>
       <RequireConsent>false</RequireConsent>
       <RequireClientSecret>false</RequireClientSecret>
       <AllowedGrantTypes>
         <AllowedGrantType1>implicit</AllowedGrantType1>
       </AllowedGrantTypes>
       <RedirectUris>
         <RedirectUri1>{AllowedCorsOrigin}</RedirectUri1>
       </RedirectUris>
       <PostLogoutRedirectUris>
         <PostLogoutRedirectUri1>{AllowedCorsOrigin}</PostLogoutRedirectUri1>
       </PostLogoutRedirectUris>
       <AllowedCorsOrigins>                     <AllowedCorsOriginsGroup1>http://localhost:4200|https://localhost:4200|http://localhost:5005|https://localhost:5005</AllowedCorsOriginsGroup1>
       </AllowedCorsOrigins>
       <AllowedScopes>
         <AllowedScope1>openid</AllowedScope1>
         <AllowedScope2>dataEventRecords</AllowedScope2>
         <AllowedScope3>dataeventrecordsscope</AllowedScope3>
         <AllowedScope4>securedFiles</AllowedScope4>
         <AllowedScope5>securedfilesscope</AllowedScope5>
         <AllowedScope6>role</AllowedScope6>
         <AllowedScope7>EngineAPI</AllowedScope7>
       </AllowedScopes>
       <UpdateAccessTokenClaimsOnRefresh>true</UpdateAccessTokenClaimsOnRefresh>
     </CommerceClient>

Do you have some feedback for us?

If you have suggestions for improving this article,