SLAS Trusted System on Behalf Authorization

Trusted System on Behalf (TSOB) is a login flow designed for system to system communication in back office workflows, for example:

• You want all logins to route through your external IDP and don’t want customers to login with SLAS.
• You want to take action as a system on behalf of a shopper.

TSOB authentication uses the getTrustedSystemAccessToken endpoint, which requires a SLAS private client with the sfcc.ts_ext_on_behalf_of scope. For details, see the Authorization Scopes Catalog.

All TSOB flows require a SLAS private client id and secret to be in an Authorization header.

To request a guest shopper TSOB token:

Provide body parameters idp_origin=ecom and login_id=guest.

To request a registered shopper TSOB token:

Provide body parameters idp_origin=ecom and login_id, whose value is the login of an existing registered shopper.

If the shopper does not exist, SLAS returns an HTTP 400:

To request a TSOB token for a shopper registered through an external IDP:

Provide body parameters idp_origin, whose value is the ID of the IDP and login_id, whose value is the shopper login.

If the shopper record does not exist, SLAS creates it. The shopper's login_id, first_name, and last_name as set to the value provided. SLAS does not communicate with the IDP to get the shopper information.

TSOB returns a TokenResponse, including a SLAS TSOB access token for the shopper and a refresh token. The refresh token can be used with the getAccessToken endpoint to obtain a new TSOB access token.

A TSOB access tokens include the tsob:ts_ext_on_behalf_of type in the isb sub-claim.

To protect against overuse, if multiple calls for the same shopper are made in succession, SLAS returns an HTTP 409: