SLAS Trusted System on Behalf Authorization

Trusted System on Behalf (TSOB) is a login flow designed for system to system communication in back office workflows, for example:

  • You want all logins to route through your external IDP and don’t want customers to login with SLAS.
  • You want to take action as a system on behalf of a shopper.

TSOB authentication uses the getTrustedSystemAccessToken endpoint, which requires a SLAS private client with the sfcc.ts_ext_on_behalf_of scope. For details, see the Authorization Scopes Catalog.

All SLAS TSOB calls require a private client_id.

TSOB is not the preferred method for Shopper authentication flows as it is outside the OAuth and OIDC standard. For the most secure authentication mechanism, use one of the workflows described in Shopper Login public and private use cases. Do not use TSOB if shopper information frequently changes and idp_origin=ecom, as TSOB will not retrieve the most up-to-date customer information from B2C Commerce.

TSOB returns a TokenResponse, including:

  • A SLAS TSOB shopper token for the specified shopper.
  • A refresh token that can be used to make system requests on behalf of the shopper.

A TSOB is slightly different from a standard shopper token because the TSOB token contains the tsob:ts_ext_on_behalf_of type in the shopper token isb sub-claim. This sub-claim is for those APIs that are looking specifically for a TSOB token.

To protect against overuse, there is protection around the TSOB flow. The TSOB flow monitors and allows multiple calls during a specific window. If there are calls in quick succession, you might see the following exception:

When using the SLAS Shopper TSOB refresh token to get a new SLAS Shopper Token, the call to the SLAS /tokenendpoint must use the same SLAS client_id as the one that originally created the SLAS Shopper Token.

  • usid - Unique shopper id to be assigned to the SLAS Shopper Token. If not provided, a new usid is generated.
  • B2C Commerce,dnt : Sets Do Not Track in B2C Commerce for the lifetime of the SLAS Shopper Token. The default value is false .

All TSOB flows require a SLAS private client id and secret to be in an Authorization header.

In this flow, you must set login_id=guest and idp_origin=ecom.

The following example shows how to get a guest shopper TSOB token using the required parameters.

The guest shopper flow is shown in the following image:

Guest Shopper Flow

In this flow, you must set login_id to the applicable value and idp_origin=ecom.

The following example shows how to get a registered shopper TSOB token using the required parameters:

The registered shopper identified from the login_id parameter must exist in B2C Commerce, or SLAS returns the following HTTP Status:

The registered shopper flow is shown in the following image:

Registered Shopper Flow

In this flow, you must set login_id to the unique external IDP ID and idp_origin to the IDP name.

The following example shows how to get a registered shopper TSOB token (without calling the IDP) using the required parameters:

If the registered shopper identified from the login_id parameter does not exist in B2C Commerce, SLAS creates the customer and external profiles. When the B2C Commerce, shopper is created this way, the login_id, first_name, and last_name are generated using the IDP shopper unique id. This is done because SLAS does not call out to the IDP to get shopper information. The B2C shopper would have values similar to:

The registered shopper with an external IDP flow is shown in the following image:

Registered Shopper with External IDP

  1. Create a SLAS Guest shopper token.
  2. Create a TSOB Guest shopper token using the usid from the Guest shopper token and a different client_id
  3. Refresh token: When using the refresh token from either SLAS Guest shopper tokens, the same SLAS client_id must be used that created the original Guest token.
  1. Create a SLAS registered shopper token.
  2. Create a TSOB registered shopper token using the usid from the Guest shopper token and a different client_id
  3. Refresh token: When using the refresh token from either SLAS registered shopper tokens, the same SLAS client_id must be used that created the original Guest token.
  1. Log the shopper in from the the external IDP.
  2. Get the shopper’s unique id from the external IDP.
  3. Create a TSOB registered shopper token using the shopper’s unique id from the IDP for the login_in parameter.