Backoffice Authentication
Authentication gives you control over who has access to your backoffice.
By default, Ucommerce automatically authenticates as a test administrator account. This is very useful when developing locally, so you do not have to set up authentication from the get-go. When going to production this should be changed, however, so the back office is protected from unverified use, and handle individual user permissions. Ucommerce leverages the built-in ASP.NET Core authorization to restrict access to the back office API. This means that you will have to implement an ASP.NET authorization system yourself.
It is recommended that you integrate a well-known identity provider. We have examples of how it can be done using Microsoft Entra ID and Auth0.
We suggest that you implement an authorization system using OpenID Connect since this will enable you to use single sign-on (SSO), allowing you to share logins between Ucommerce and other OAuth-enabled applications like a CMS.
Add an external identity provider
Ucommerce takes care of the local login session, so you need to set up a scheme that will take care of logging in the user. Additionally, Ucommerce needs an implementation of the IExternalClaimsMapper
interface.
Use the options hook when calling AddBackOffice()
in program.cs
, to configure your scheme:
Since Ucommerce takes care of the session cookie, you should not set cookies in your external authentication scheme.
You can use the ASP.NET configuration to override the external identity provider that Ucommerce will forward to. You can define the scheme by setting the value for Ucommerce:BackOffice:ExternalIdentityProviderScheme
to the name of one of the registered schemes. This allows you to change the provider depending on the environment. To use the built-in scheme set the value to ucommerce-test-user
.
External Claims Mapper
Ucommerce automatically creates and updates a local user when a user logs in via an external identity provider, so it needs a mapping of the external claims, to the local user in Ucommerce.
To create a mapping you implement the IExternalClaimsMapper
interface.
The interface consists of a single method MapClaims
that must take care of the mapping from the incoming claim to an AuthUser
object.
AuthUser Properties
The default ExternalClaimsMapper
ExternalClaimsMapper
Ucommerce comes with a default claims mapper (Ucommerce.Web.BackOffice.Authentication.ExternalClaimsMapper
) that maps claims in the following way. The keys are also defined in the UcommerceClaimTypes
constants class.
Related Articles
Last updated