top of page
Search

Sitecore XM and OrderCloud: Authentication Dilemma

Writer's picture: Yassine AlahyaneYassine Alahyane

Updated: Jul 22, 2024


Authentication

July 8th 2024


If you're currently on XP/XC and planning to move to XM/OrderCloud, this post might be of interest to you.

We will specifically discuss Shopper Authentication/Authorization and how it can impact your migration.


XP/XC Authentication:

Recent versions of XP/XC use Sitecore Identity for users Login. The user credentials are stored and password encrypted in apsnet_Membership table of Core Database.

The Login pipelines will however validate that the user also exist in the Sitecore Commerce Shared database as a Customer, and that there is a Contact in xDB.


So for a successful login it is required to have::

  • A valid and active Sitecore User

  • A valid and active Sitecore Commerce Customer

  • A contact in xDB


XM/OrderCloud Authentication:

Moving to XM/OrderCloud, we now have 2 systems with separate authentication mechanism.

  • XM uses Sitecore Identity Server and SQL aspnet tables as explained above.

  • OrderCloud uses OAuth2 based tokens as explained here.


So which system should you use to authenticate your shoppers? Sitecore XM (or XP) ? OrderCloud? or Both? What about Passwords? Do you store them in both systems? How do you migrate encrypted passwords from XP to OrderCloud?


There are many questions and options to choose from.


User Impersonation in OrderCloud:

After exchanging with OrderCloud Team about my use-case, I realized, User Impersonation was my best option for the following reasons:

  • No need to store passwords in OrderCloud. Only need to migrate users from XP 9.3 to XM 10.3

  • User Information used on our site come from an internal system. So no need to Migrate Customer Data from XC to OrderCloud. We'll take a different approach, I'll be explaining below.


For reference our OrdeCloud Architecture follows this pattern example:


Multi-Currency with Shopper Selected Currencies (Guest Shopping & Anonymous Buyers)

OrderCloud topology

For more globalization architectures in OrderCloud check this link.


Based on this, in order to implement User Impersonation, we need to give the API Client's anonymous user access to obtain tokens for users from the same User Group.

This might present a security concern. To mitigate this concern we will use a secret key with a Pre-Hook:

  • Secret Key stored in Sitecore, and included as a Header with calls to POST v1/buyers/{buyerID}/users/{userID}/accesstoken

  • An OrderCloud Pre-Hook triggered with same endpoint, that validates the header is included and matches expected value from Sitecore. If not the call will be rejected and no token can be obtained.


Here's a simplified view of the Login Flow we adopted:

Auth flow


Creating users in OrderCloud during their first-time login, simplifies our User Migration from XP/XC to XM/OrderCloud.

We only need to Migrate the users from Sitecore XP 9.3 to Sitecore XM 10.3 and not worry about XC to OrderCloud migration when it comes to customers.

We also pushed same IDs from our internal System while creating users in OrderCloud. This allows for easy and performant mapping.


For more details about User Impersonation in OrderCloud check this link.


I hope you find this post helpful. Feel free to reach out if you have any questions or comments.

42 views0 comments

Recent Posts

See All

Comments


bottom of page