The abstraction layer provided by the Buyer Portal, as you used in the previous lab, will handle the details of authentication with the B2B or BigCommerce GraphQL Storefront APIs automatically, based on the user’s logged-in state. You will not typically need to worry about obtaining and tracking API tokens in your own code.
However, it is helpful to have a baseline understanding of the API authentication flow, particularly since the Buyer Portal manages multiple tokens (for the B2B GraphQL API and the standard BigCommerce GraphQL Storefront API) as well as syncing Stencil session login.
If you don’t want to dig into the authentication details under the hood right now, feel free to skip this section!
Particularly if you are implementing a headless storefront, however, this section provides important details for making sure your Buyer Portal has a valid B2B storefront token.
B2B GraphQL API queries and mutations are either:
login mutation itself is an example of this.It’s essential that a logged-in user in the Buyer Portal have a B2B storefront token for use with this API. The most straightforward way to obtain one is with the user’s credentials and the login mutation. As you’ll see below, there are other methods as well.
All B2B GraphQL requests are made to an endpoint on a BigCommerce domain.
See the B2B GraphQL Playground for details about the mutations described in this section.
Requests to the standard BigCommerce GraphQL Storefront API include two pieces of information relevant to our discussion:
Because of the nature of customer context, the Buyer Portal uses two different approaches for making requests to the GraphQL Storefront API:
When the storefront is Stencil, most requests are made directly to the storefront domain (via the /graphql endpoint, as standard with this API). The client-side nature of the requests allow the customer context to be provided automatically by the Stencil storefront session, as described above.
In this scenario, the Buyer Portal must track a standard storefront token for such requests, in addition to the B2B token.
In a headless storefront, GraphQL Storefront API requests are proxied through a B2B Edition endpoint, which accepts the B2B storefront token and handles the proper authentication and customer context on the backend.
The platform value set in the Buyer Portal initialization scripts controls the designation of Stencil or headless. A value of “bigcommerce” indicates a Stencil storefront.
Note that proxied requests are used for certain GraphQL Storefront API requests even in Stencil storefronts.
In Stencil storefronts, the authentication flow must account for:
The Buyer Portal presents its own custom login page, which performs these major steps:
login mutation.storefrontLoginToken).storefrontLoginToken, to log the customer into the Stencil session.App entry point is triggered, calls the B2B storeFrontToken mutation to obtain a standard storefront token, and sets it in the session.By the end of this process, the user has been logged into the Stencil storefront and has obtained tokens for both APIs.
See the following areas of the codebase:
handleLoginSubmit in pages/Login/index.tsxloginInfo in utils/loginInfo.ts (called in App.tsx)If the user’s B2B storefront token is removed from the session or invalidated in any way, but the user is still logged into the Stencil storefront, the Buyer Portal automatically takes care of re-obtaining a token without requiring the user to provide their credentials again.
authorization mutation is called with the JWT to obtain the B2B token.See the following areas of the codebase:
getCurrentCustomerInfo and loginWithCurrentCustomerJWT in utils/loginInfo.tsWhen using the Buyer Portal in a headless storefront, there are a couple of possible approaches to authentication:
If your headless storefront presents the Buyer Portal’s built-in login page, the authentication flow will be the same as described for Stencil above. The key difference is that the steps for logging into the storefront session and obtaining a standard storefront token will not be performed, as these are not relevant outside Stencil. (Remember, in a headless storefront GraphQL Storefront API requests are proxied.)
Most headless storefronts will utilize their own authentication and session management. In addition, the most common approach to the standard BigCommerce GraphQL Storefront API in headless storefronts is to use server-side, stateful requests with a customer access token for customer context.
In this scenario, these two key steps will provide the necessary B2B storefront token to the Buyer Portal:
window.b2b.utils.loginWithB2BStorefrontToken to set the token properly in the session and ensure the Buyer Portal hydrates the user’s session details.In Catalyst
The Catalyst integration utilizes the Custom Login Page approach, adding the above steps to the typical authentication flow.