In this tutorial, you will learn how to enable single sign-on for storefront customers using the Customer Login API and JSON Web Tokens.
You can also use the GraphQL Storefront API to authorize your application to work with customer-specific storefront data.
Single sign-on (SSO) is an authentication mechanism that enables users to sign in to multiple software applications using the same set of credentials that the user enters only once. It eliminates the need to maintain multiple passwords, which streamlines the process of accessing web applications. For more details, see Single Sign-On.
When a user signs into your web app, you can use the Customer Login API to authenticate the user to your BigCommerce store through SSO.
You can use the Customer Login API in the following use cases:
Storefront customers are signed in using the access point URL /login/token/{token}. The {token} must be a JSON Web Token (JWT) containing parameters for the customer login request signed by your application’s OAuth client secret. For more information on the OAuth protocol, see OAuth.
JWT is an industry standard (RFC 7519) for securely transmitting information between two parties. A JWT is a sequence of base64url-encoded strings separated by dots (.). The sections include the header, payload, and signature. For more details, see Introduction to JSON Web Tokens.
To enable SSO using the Customer Login API, you will need the following:
Be sure to set the Customers Login scope to Login.
To sign a customer in to their storefront account using the Customer Login API, your app needs to redirect the customer’s browser to the following access point URL: https://storedomain.com/login/token/{token}.
The {token} parameter is the JWT containing the payload data signed by your app’s OAuth client secret.
We recommend writing a script to generate a login token since the JWT’s iat (issued at) claim is only valid for 30 seconds. BigCommerce supplies helper methods for generating login tokens in our API Client Libraries.
The beginning of this tutorial focuses on manually creating a token using the debugger tool at JWT.io. Then, we will explore how to use a JavaScript function to programmatically generate an access point URL.
To create a JWT, you will need to obtain a customer_id using the Customers v3 API.
GET request to the Get All Customers endpoint. Choose a customer and make note of the customer_id.Open the debugger at JWT.io.
In the “HEADER” field, make sure the JWT alg (algorithm) field is set to "HS256" and the typ (token type) field is set to "JWT".
{token} parameter.Example:
If the request was successful, you will be signed in as a customer and directed to /account.php. If it was unsuccessful, a sign in attempt error message will be displayed, and you will be directed to /login.php.
For common causes of sign-in failure, see Troubleshooting.
In this part of the tutorial, we will walk you through creating an access point URL using JavaScript. You will need node.js installed on your machine to complete this section.
Open the urlGenerator folder in your code editor of choice and create a new JS file.
Paste the following code into the new JS file:
Replace your app and customer-specific values in the variables.
Run the code:
You should receive a complete access point URL as an output.
If the request was successful, you will be signed in as a customer and directed to /account.php. If it was unsuccessful, you will receive a sign in attempt error message and be directed to /login.php. For common causes of sign in failure, see Troubleshooting.
Helper methods for generating login tokens are provided in our API Client Libraries. See the following BigCommerce repositories for language-specific examples:
For client libraries in other languages, see Libraries for Token Signing/Verification.
To sign a customer out, set the redirect_to field of the JWT’s payload to /login.php?action=logout.
GET request is made.