Public SLAS Client Use Cases

Setting up SLAS and making your first request is covered in the Get Started guides. See Authorization for Shopper APIs.

The following use cases show how SLAS enables authorized access to the Shopper APIs for public clients under different login scenarios.

Remember that any shopping app that is not able to securely store a client secret for a registered user is a public client. Single-page apps, such as those built with PWA Kit, Android or iOS apps, and mobile apps without a gateway must be provisioned as public clients.

Each use case demonstrates a different login scenario: guest user (no login), federated login, and B2C login.

Although all three use cases feature OCAPI’s /baskets endpoint, remember that a SLAS access token can be used with any Shopper API endpoint.

Each step in the authentication flow is numbered and described in detail for all three use cases. The numbered steps are also illustrated with a diagram.

See the API specification for full details on how to make your API requests.

You can explore these use cases interactively with a Postman collection: Salesforce Commerce Cloud SLAS Use Cases.

This use case describes what happens when the shopper adds a product to their basket without logging in first. It follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE), as defined by RFC 7636.

Associated diagram

  1. A shopper opens a Commerce Cloud shopping app and starts interacting with it.

  2. The shopping app generates two strings: code_verifier and code_challenge.

    • The code_verifier string is a random string.
    • The code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.

  3. The shopping app makes a request to the /authorize endpoint of the SLAS API.

    • Required query parameters: hint=guest, response_type=code, client_id, code_challenge, and redirect_uri.
    • The redirect_uri parameter specifies what app route to redirect to when the login is complete.
    • Optional query parameter: usid. If you already have a Unique Shopper Identifier (USID) for the guest user, you can pass it in. Otherwise, a USID is generated for you by SLAS.
    • Best practice: reuse the USID for a shopper from the previous guest login so that you can tie that user to all the previous login attempts and enable personalization.

  4. The endpoint responds with an authorization code and redirects to the shopping app via the redirect_uri. If necessary, the USID is returned through a query parameter.

  5. The shopping app makes a request to the /token endpoint of the SLAS API.

    • No authorization header is required.
    • Required query parameters: grant_type=authorization_code_pkce, code_verifier, code,client_id, and redirect_uri.
    • Recommended query parameter (will be required in the future): channel_id.

  6. The endpoint responds with an access token in the form of a JSON Web Token (JWT), a customer_id string, a USID, and a refresh token.

    • The JWT also includes an enc_user_id string that can be used to call Einstein tracking APIs. For guest users, use a USID instead.

  7. The shopping app makes a request to the /getJwksUri endpoint of the SLAS API to retrieve the keys for validating the JWT issued by the SLAS API.

  8. The endpoint responds with a JSON Web Key Set (JWKS) containing the current, past, and future public keys.

  9. The shopping app uses the key set to validate the Shopper JWT issued by the SLAS API.

  10. The guest shopper adds a product to their basket.

  11. The shopping app makes a request to the /baskets endpoint of OCAPI and provides a SLAS access token in the header.

  12. The Baskets API saves a shopping basket with a customer_id string that is associated with the guest user.

This use case describes what happens when a shopper logs in using a third-party identity provider before adding a product to their basket. It follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE), as defined by RFC 7636.

Associated diagram

  1. A shopper logs in to a Commerce Cloud shopping app and chooses a third-party identity provider (IDP) to perform the authentication.

  2. The shopping app generates two strings: code_verifier and code_challenge.

    • The code_verifier string is a random string.
    • The code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.

  3. The shopping app makes a request to the /authorize endpoint of the SLAS API.

    • Required query parameters: hint, response_type=code, client_id, code_challenge, and redirect_uri.
    • The hint parameter specifies the name of the identity provider.
    • The redirect_uri parameter specifies what app route to redirect to when the login is complete.

  4. The SLAS API redirects to the identity provider’s login page.

  5. The shopper enters their credentials and consents.

  6. If login is successful, the SLAS API responds with an authorization code and redirects to the shopping app.

  7. The shopping app makes a request to the /token endpoint of the SLAS API.

    • No authorization header is required.
    • Required query parameters: grant_type=authorization_code_pkce, code_verifier, code, client_id, and redirect_uri.

  8. The endpoint responds with an access token in the form of a JSON Web Token (JWT), a customer_id string, a USID, and a refresh token.

    • The JWT also includes an enc_user_id string that can be used to call Einstein tracking APIs.

  9. The shopping app makes a request to the /getJwksUri endpoint of the SLAS API to retrieve the keys for validating the JWT issued by the SLAS API.

  10. The endpoint responds with a JSON Web Key Set (JWKS) containing the current, past, and future public keys.

  11. The shopping app uses the key set to validate the Shopper JWT issued by the SLAS API.

  12. The registered shopper adds a product to their basket.

  13. The shopping app makes a request to the /baskets endpoint of OCAPI and provides a SLAS access token in the header.

  14. The Baskets API saves a shopping basket with a customer_id string that is associated with the registered shopper.

This use case describes what happens when a shopper logs in with credentials that are managed by a B2C Commerce instance before adding a product to their basket. It follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE), as defined by RFC 7636.

Associated diagram

  1. A shopper logs in to a Commerce Cloud shopping app and chooses to authenticate directly through the shopping app.

  2. The shopping app generates two strings: code_verifier and code_challenge.

    • The code_verifier string is a random string.
    • The code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.

  3. The shopping app makes a request to the /login endpoint of the SLAS API.

    • The request must include an authorization header that contains a Base64 encoded version of the following string: <shopperUserID>:<shopperPassword>. (Don’t forget to replace <shopperUserID> and <shopperPassword> with actual values before encoding the string.)
    • Example header value: Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    • Required query parameters: code_challenge, usid, channel_id, client_id, and redirect_uri.

  4. The SLAS API redirects to the redirect URI and returns an authorization code.

  5. The shopping app makes a request to the /token endpoint of the SLAS API.

    • No authorization header is required.
    • Required query parameters: grant_type=authorization_code_pkce, code_verifier, code, client_id, and redirect_uri.

  6. The endpoint responds with an access token in the form of a JSON Web Token (JWT), a customer_id string, a USID, and a refresh token.

    • The JWT also includes an enc_user_id string that can be used to call Einstein tracking APIs.

  7. The shopping app makes a request to the /getJwksUri endpoint of the SLAS API to retrieve the keys for validating the JWT issued by the SLAS API.

  8. The endpoint responds with a JSON Web Key Set (JWKS) containing the current, past, and future public keys.

  9. The shopping app uses the key set to validate the Shopper JWT issued by the SLAS API.

  10. The registered shopper adds a product to their basket.

  11. The shopping app makes a request to the /baskets endpoint of OCAPI and provides a SLAS access token in the header.

  12. The Baskets API saves a shopping basket with a customer_id string that is associated with the registered shopper.

This use case describes what happens when a shopper logs in with an external profile that is managed by a third-party IDP.

Associated diagram

  1. A shopper logs in to a Commerce Cloud shopping app using credentials managed by a third-party IDP.
  2. The shopping app makes a request to the /authorize endpoint.
  3. The SLAS API redirects to the third-party IDP.
  4. The third-party IDP makes a callback to the SLAS login API on successful login.
  5. The SLAS service makes a request to the third-party IDP to get the IDP token and shopper/user info.
  6. The SLAS service makes a request to the external profile endpoint to create a record with the shopper's third-party credentials on B2C Commerce.
  7. After successful external profile creation on B2C Commerce, a corresponding user entry is persisted on SLAS.

Now that you’re familiar with the use cases for public clients, check out the Private SLAS Client Use Cases.

When you’re ready to incorporate SLAS into your app, explore the API reference for the complete technical specifications for the SLAS endpoints.