Learning PathModule

Third-party identity providers

Learn how to integrate third-party identity providers (IDPs) for advanced authentication features such as SSO and social logins.

After completing this page, you should be able to:

Explain the role of a third-party identity provider (IDP) in a Composable Commerce architecture and identify scenarios where its use is appropriate.
Describe the high-level authentication flow when integrating an IDP, including the responsibilities of the backend for frontend (BFF) and the function of the externalId field.

Although Composable Commerce provides robust native Customer authentication, you might need to integrate a third-party IDP to support features such as social logins, single sign-on (SSO), and multi-factor authentication (MFA).

What is an identity provider?

An identity provider (IDP) is an external service that manages user identities and handles the authentication process. The IDP stores and verifies passwords, instead of your application doing so. This approach is useful when you want to offer the sign in with Google feature, integrate with an existing employee directory, or leverage advanced security features that Composable Commerce doesn't provide natively.

Here are a few commonly used third-party IDPs:

Auth0
Okta
Azure AD B2C
Firebase Authentication
Social login providers such as Google, Facebook, and Apple.

How IDPs work with Composable Commerce

The integration of an IDP with Composable Commerce typically uses OAuth 2.0 or OpenID Connect (OIDC) protocols. Your application's backend is responsible for orchestrating the authentication flow between the IDP and Composable Commerce.

Here's a breakdown of the steps:

The IDP handles user authentication: the IDP manages the username and password logic, social logins, and advanced features such as MFA.
The IDP issues tokens upon successful authentication: these are often JSON web tokens (JWTs) that contain information about the authenticated user.
Your application backend validates the token: your backend receives the token and either validates it locally or makes an introspection call to the IDP to verify its authenticity.
You link the external identity to a Composable Commerce Customer:
- If a Customer record doesn't exist for the user, then your backend creates a new Customer in Composable Commerce.
- You store the IDP's user ID in the externalId field of the Composable Commerce Customer. This externalId links the IDP user to the Composable Commerce Customer.
- If the Customer already exists, then your backend retrieves their record by using the externalId field.
Composable Commerce manages all e-commerce data: the IDP is used only for authentication. All Customer-specific data such as addresses, Carts, and Orders reside within Composable Commerce, linked by the customerId and externalId fields.

Role of backend for frontend (BFF)

The Composable Commerce API doesn't directly introspect external IDP tokens. Your backend for frontend (BFF) must perform this validation before it can use the IDP-authenticated identity to interact with Composable Commerce.

When to use an IDP

You should consider using an IDP in the following scenarios:

Single sign-on (SSO): if users need to access multiple applications with a single login, then an IDP simplifies this by allowing them to use existing credentials.
Existing user base: if you've a large Customer base in an external system (such as a legacy platform or CRM), then an IDP can help migrate and manage these users without forcing them to re-register.
Advanced authentication features: for features such as MFA, password-less login, and social logins, IDPs offer out-of-the-box solutions that save significant development effort.
Compliance and security: IDPs specialize in security and compliance; for example, GDPR and CCPA. Offloading these concerns to a dedicated provider can reduce risk.

Role of Composable Commerce

In an OAuth2/OIDC flow, Composable Commerce acts as a resource server, not as an Identity Provider. It doesn't have a built-in OIDC provider functionality. Composable Commerce consumes identities from an external IDP rather than issuing them.

Although IDP integration is a powerful tool, this learning module focuses on the native customer authentication capabilities of Composable Commerce. IDP integration is an advanced architectural decision that builds on a foundational understanding of how Composable Commerce manages Customer data.

Key takeaways

Third-party IDPs manage user authentication, letting you support features such as SSO, MFA, and social logins.
Your application's backend is responsible for validating the IDP token and linking the external user identity to a Composable Commerce Customer by using the externalId field.
Composable Commerce acts as a Resource Server, managing e-commerce data (Carts, Orders, profiles); whereas, the IDP acts as the authentication authority.
Consider using an IDP if you need to integrate with existing user systems, require advanced security features, or want to simplify compliance.

Third-party identity providers

Learn how to integrate third-party identity providers (IDPs) for advanced authentication features such as SSO and social logins.

What is an identity provider?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

How IDPs work with Composable Commerce.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Role of backend for frontend (BFF).css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

When to use an IDP.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Role of Composable Commerce.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Key takeaways.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Test your knowledge.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}