Public SLAS Client Use Cases

Setting up SLAS and making your first request is covered in the Get Started guides. See Authorization for Shopper APIs.

The following use cases show how SLAS enables authorized access to the Shopper APIs for public clients under different login scenarios.

Remember that any shopping app that is not able to securely store a client secret for a registered user is a public client. Single-page apps, such as those built with PWA Kit, Android or iOS apps, and mobile apps without a gateway must be provisioned as public clients.

Each use case demonstrates a different login scenario: guest user (no login), federated login, and B2C login.

Although all three use cases feature OCAPI’s /baskets endpoint, remember that a SLAS access token can be used with any Shopper API endpoint.

Each step in the authentication flow is numbered and described in detail for all three use cases. The numbered steps are also illustrated with a diagram.

See the API specification for full details on how to make your API requests.

You can explore these use cases interactively with a Postman collection: Salesforce Commerce Cloud SLAS Use Cases.

This use case describes what happens when the shopper adds a product to their basket without logging in first. It follows the authorization code grant flow as defined by the OAuth 2.0 standard. It also uses a proof key for code exchange (PKCE), as defined by RFC 7636.

public-client-guest-user-28375455-71dd-4d38-bbbc-59567d51b057-483a3113-006b-4dd9-8643-74ab4b178d74.png

  1. A shopper opens a Commerce Cloud shopping app and starts interacting with it.

  2. The shopping app generates two strings: code_verifier and code_challenge.

    • The code_verifier string is a random string.
    • The code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.
  3. The shopping app makes a request to the /authorize endpoint of the SLAS API.

    • Required query parameters: hint=guest, response_type=code, client_id, code_challenge, and redirect_uri.
    • The redirect_uri parameter specifies what app route to redirect to when the login is complete.
    • Optional query parameter: usid. If you already have a Unique Shopper Identifier (USID) for the guest user, you can pass it in. Otherwise, a USID is generated for you by SLAS.
    • Best practice: reuse the USID for a shopper from the previous guest login so that you can tie that user to all the previous login attempts and enable personalization.
  4. The endpoint responds with an authorization code and redirects to the shopping app via the redirect_uri. If necessary, the USID is returned through a query parameter.

  5. The shopping app makes a request to the /token endpoint of the SLAS API.

    • No authorization header is required.
    • Required query parameters: grant_type=authorization_code_pkce, code_verifier, code,client_id, and redirect_uri.
  6. The endpoint responds with an access token in the form of a JSON Web Token (JWT).

    • The JWT includes a customer_id string, a USID, a refresh token, and all the scopes for accessing Shopper APIs.
    • The JWT also includes an enc_user_id string that can be used to call Einstein tracking APIs. For guest users, you would use a USID instead.
  7. The guest shopper adds a product to their basket.

  8. The shopping app makes a request to the /baskets endpoint of OCAPI and provides a SLAS access token in the header.

  9. The Baskets API saves a shopping basket with a customer_id string that is associated with the guest user.

This use case describes what happens when a shopper logs in using a third-party identity provider before adding a product to their basket. It follows the authorization code grant flow as defined by the OAuth 2.0 standard. It also uses a proof key for code exchange (PKCE), as defined by RFC 7636.

public-client-registered-user-federated-316ca271-4d6e-47a6-9654-4beb4939c025-54fdaaea-3862-44cb-a674-88c397bbbde2.png

  1. A shopper logs in to a Commerce Cloud shopping app and chooses a third-party identity provider (IDP) to perform the authentication.

  2. The shopping app generates two strings: code_verifier and code_challenge.

    • The code_verifier string is a random string.
    • The code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.
  3. The shopping app makes a request to the /authorize endpoint of the SLAS API.

    • Required query parameters: hint, response_type=code, client_id, code_challenge, and redirect_uri.
    • The hint parameter specifies the name of the identity provider.
    • The redirect_uri parameter specifies what app route to redirect to when the login is complete.
  4. The SLAS API redirects to the identity provider’s login page.

  5. The shopper enters their credentials and consents.

  6. If login is successful, the SLAS API responds with an authorization code and redirects to the shopping app.

  7. The shopping app makes a request to the /token endpoint of the SLAS API.

    • No authorization header is required.
    • Required query parameters: grant_type=authorization_code_pkce, code_verifier, code, client_id, and redirect_uri.
  8. The endpoint responds with an access token in the form of a JSON Web Token (JWT).

    • The JWT includes a customer_id string, a USID, a refresh token, and all the scopes for accessing Shopper APIs.
    • The JWT also includes a enc_user_id string that can be used to call Einstein tracking APIs. For guest users, you would use a USID instead.
  9. The guest shopper adds a product to their basket.

  10. The shopping app makes a request to the /baskets endpoint of OCAPI and provides a SLAS access token in the header.

  11. The Baskets API saves a shopping basket with a customer_id string that is associated with the guest user.

This use case describes what happens when a shopper logs in with credentials that are managed by a B2C Commerce instance before adding a product to their basket. It follows the authorization code grant flow as defined by the OAuth 2.0 standard. It also uses a proof key for code exchange (PKCE), as defined by RFC 7636.

public-client-registered-user-b2c-fab0b3d7-08c7-43f2-b4ab-0f47fb7e40e3-7ccab931-3b53-4d73-9fdb-ebc662f1624b.png

  1. A shopper logs in to a Commerce Cloud shopping app and chooses to authenticate directly through the shopping app.

  2. The shopping app generates two strings: code_verifier and code_challenge.

    • The code_verifier string is a random string.
    • The code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.
  3. The shopping app makes a request to the /login endpoint of the SLAS API.

    • The request must include an authorization header that contains a Base64 encoded version of the following string: <shopperUserID>:<shopperPassword>. (Don’t forget to replace <shopperUserID> and <shopperPassword> with actual values before encoding the string.)
    • Example header value: Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    • Required query parameters: code_challenge, usid, channel_id, client_id, and redirect_uri.
  4. The SLAS API redirects to the redirect URI and returns an authorization code.

  5. The shopping app makes a request to the /token endpoint of the SLAS API.

    • No authorization header is required.
    • Required query parameters: grant_type=authorization_code_pkce, code_verifier, code, client_id, and redirect_uri.
  6. The endpoint responds with an access token in the form of a JSON Web Token (JWT).

    • The JWT includes a customer_id string, a USID, a refresh token, and all the scopes for accessing Shopper APIs.
    • The JWT also includes an enc_user_id string that can be used to call Einstein APIs. For guest users, you would use a USID instead.
  7. The shopper adds a product to their basket.

  8. The shopping app makes a request to the /baskets endpoint of OCAPI and provides a SLAS access token in the header.

  9. The Baskets API saves a shopping basket with a customer_id string that is associated with the registered user.

Now that you’re familiar with the use cases for public clients, check out the Private SLAS Client Use Cases.

When you’re ready to incorporate SLAS into your app, explore the API reference for the complete technical specifications for the SLAS endpoints.