fabric Identity manages authentication and authorization of all fabric's commerce platform APIs. Before invoking any of the fabric APIs (PIM, OMS, Offers etc), API clients are required to authenticate with fabric Identity and get an access token. This access token should be sent in every API request to fabric's commerce platform. All commerce platform APIs check the access token for associated policies and permission before allowing access to a specific tenant's data.
In addition, application developers can also use fabric Identity for implementing user login and account management functionality for their individual applications. In this usage scenarios fabric Identity readily provides several additional features to quickly implement login flows within applications.
Every API client looking to access fabric platform APIs should create an application (also referred to here as an app) representing itself within fabric Identity. There are two types of apps that can be created depending on 'how' and 'for whom' the App gets the access tokens.
sysappis created if the API client wants to authenticate itself with fabric Identity and get an access token. This access token is for the app itself and can be used to call other fabric's platform APIs. The
sysappcan be assigned a role to determine which APIs it can access within the fabric platform. These apps use Client Credential Grant Type to obtain access tokens. Additionally
sysappcan also be used to create applications with end users, like ecommerce portals, if the app development team chooses to use identity solution other than fabric Identity for their end user login needs.
userappis created if the API client is an end user application and it wants to authenticate its end users with fabric Identity. This is suitable for the use cases where the application developers would like to use fabric Identity to build their login flows quickly and securely without implementing their own identity systems. The access token generated in this case is for the end user (and not that of the app itself) and can be used to call other fabric's platform APIs. End users can be assigned roles to determine which APIs they can access. These apps can use Authorization Code Flow or Authorization Code Flow with PKCE for obtaining access tokens from fabric Identity. fabric recommends using
Authorization Code Flow with PKCEwhere possible.
userapp, application developers can benefit from additional features offered by fabric Identity:
- A hosted login page that can be easily customized for branding, themes and web/mobile experiences
- Support for social logins using with all major social platforms
- Customize emails related to user account management (welcome emails, forgot password etc)
- Support for implementing SSO for users across multiple applications
- Role based access control of users
- Multi-factor authentication and custom password policies
The previous identity solution (referred here as Identity v1) provided a simple approach to securing the access to fabric's commerce APIs and tenant's data. The v1 version provided APIs for generating access tokens and using them when invoking rest of the fabric APIs. The access tokens generated in v1 are tenant specific making it diffcult for storefront and 3rd party developers to implement advanced use cases using Fabric APIs like user SSO for multi-channel access, B2B storefront etc.
Identity v1 is now deprecated and is superceded by Identity v2, which is based on industry standard protocols allowing easy implementation of identity use cases for all commerce applications. fabric APIs would continue to support access tokens generated from both v1 and v2 allowing time for existing API clients to migrate to the new identity solution. You can find the Identity v1 docs here.