Log in a shopper with credentials that are managed by a B2C Commerce instance (B2C Commerce).
Operation ID: authenticateCustomerThis follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE).
For PKCE values:
- The
code_verifier
string is a random string used for the/token
endpoint request. - The
code_challenge
is an encoded version of thecode_verifier
string using an SHA-256 hash.
The request must include a basic authorization header that contains a Base64 encoded version of the following string: <shopperUserID>:<shopperPassword>
.
Required parameters: code_challenge
, channel_id
, client_id
, and redirect_uri
.
Optional parameters: usid
.
The SLAS /login
endpoint redirects back to the redirect URI and returns an authorization code.
Calls to /login
made with the same loginId and tenantId within 1 second result in a conflict.
curl "https://{shortCode}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/{organizationId}/oauth2/login" \
-X POST \
-H "Authorization: Basic <client credentials>" \
-H "content-type: application/x-www-form-urlencoded"
An identifier for the organization the request is being made by
f_ecom_zzxy_prd
Base64-encoded username and password for HTTP basic authentication
Basic <client credentials>
SLAS client ID. Required when the grant type is authorization_code_pkce
.
z99ec276-cg53-4g94-cf72-76f300c6778zc
Must be code
. Indicates that the client wants an authorization code (when the grant type is authorization_code
).
The URI to which the server redirects the browser after the user grants the authorization. The URI must be registered with the SLAS client. A variety of URI formats and wildcards for host are supported, but app links like airbnb:// or fb:// are not. Examples of supported URIs:
Examples of supported URIs:
http://localhost:3000/callback
https://example.com/callback
com.example.app:redirect_uri_path
*.subdomain.topleveldomain.com
Value to be sent by the client to determine the state between the authorization request and the server response. Optional, but strongly recommended.
client-state
Scopes to limit an application's access to a user's account.
openid|offline_access|email
The unique shopper ID.
18cda486-fe32-4e27-888b-6e4f89938e67
The channel that the request is for. For a B2C Commerce request, this is angalous to the site ID.
RefArch
PKCE code verifier. Created by the client calling the login
endpoint.
The code_challenge
is created by SHA256 hashing the code_verifier
and Base64 encoding the resulting hash.
The code_verifier
should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.
The code_challenge
is optional when using a private client id for the token request.
krc5G3_5lRUcXDUzFZQ88oJA_-ZmlHWkyGsgOrSLEWg
This type supports additional properties passed along with the defined properties of this API.
To indicate that the properties were defined and expected to be handled as additional properties, they are expected to be prefixed with a c_
.
The type will reject any property that does not fit this pattern, only allowing additional properties beginning with the known prefix.
The authorization code and usid were successfuly added to the location header and sent to the callback as query parameters.
{
"location": "https://<host>:<port>/callback?usid=d11392ae-cbf0-4296-9723-8f9f0e49fd73&state=1728422547223&scope=openid%20offline_access&code=561X8NOKvoRezq2aucazwwkrevUoIP37YRTfsRHX8ow"
}
{
"location": "https://<host>:<port>/callback?usid=d11392ae-cbf0-4296-9723-8f9f0e49fd73&state=1728422547223&scope=openid%20offline_access&code=561X8NOKvoRezq2aucazwwkrevUoIP37YRTfsRHX8ow"
}