You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, to implement a zero-trust authentication, you need more!
It would be useful to be able to mark a storefront as protected and validate that the user was authenticated with B2C Commerce Account Manager similar/the same as the Storefront Preview feature:
Ideally, this could be a flag in Runtime Admin that you could enable on a per environment basis, with the configuration coming from the B2C Commerce instance info of that environment.
For non-production storefronts, it is common to gate/block access to prevent unauthorized users or bots from seeing what is under development.
Managed Runtime provides the ability to set a list of allowed IPs and to deny requests that don't include an access control header: https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/mrt-overview.html#admin-tools
eCDN provides similar abilities: https://developer.salesforce.com/docs/commerce/commerce-api/guide/cdn-zones-custom-rules.html
However, to implement a zero-trust authentication, you need more!
It would be useful to be able to mark a storefront as protected and validate that the user was authenticated with B2C Commerce Account Manager similar/the same as the Storefront Preview feature:
https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/storefront-preview.html#3-confirm-that-your-account-manager-user-has-access-to-the-b2c-commerce-instance
Today, its possible to implement this in user space using either Account Manager's OIDC endpoints or the SLAS Trusted Agent Authorization:
You could couple this with a Express.js middleware approach like shown here:
https://github.com/auth0/express-openid-connect
Ideally, this could be a flag in Runtime Admin that you could enable on a per environment basis, with the configuration coming from the B2C Commerce instance info of that environment.
@taurgis wrote a blog post with additional details: https://www.rhino-inquisitor.com/storefront-protection-in-the-pwa-kit/
The text was updated successfully, but these errors were encountered: