Identity Provider
For Partners
Dynamics 365 requires an OAuth 2.0 provider to authorize API calls to Retail Server. Storefront 365 uses Microsoft Azure Active Directory B2C.
Identity Provider
In Dynamics AX 2012 R3 was all authentication of a visitor handled by Episerver using the Customer management features of Episerver Commerce. In the new Dynamics AX (AX7) and Dynamics 365 for Operations is the authentication handled by any identity provider that supports the OAuth 2.0 framework. OAuth is an authorization framework that uses the OpenID Connect protocol for authentication.
The authentication is performed by any identity provider supporting OAuth 2.0 framework which means that single-sign-on is supported by Storefront 365. Single-sign-on enables the web site to use Facebook, Twitter, Azure Active Directory and other identity providers.
An identity provider assists Storefront 365 and Dynamics Retail Server with user authentication by keeping the user’s credentials and by providing a security token that guarantees that the user has the identity it claims.
Retail Server do not keep any information about the user’s username, password or similar identifications. It trusts the security token from the identity provider, and the application requesting access (Storefront 365).
When a user requests access to the Dynamics Retail Server, it is redirected to the login page in Storefront 365 starter site. The user credentials are entered and the identity provider is called with the information. If the identity and access request is confirmed by the identity provider, it creates a security token that is used with Retail Server in the request.
Retail Server validates the token and the claims in the token. The user then gets access to the server if it’s validated. The Retail Server will use information fetched from the identity provider for validation of the token. The identity provider must be configured in Dynamics and accessible in the network from Retail Server.
If the user is not logged in, then it is considered as an anonymous user. In that case will Retail Server be called without a security token, and by that handle the request as a request from an anonymous user. Retail Server will use the Default Customer defined for the channel in the Retail Online Channel definition in requests where appropriate.
NOTE!
It is Dynamics 365 for Operations that verifies that the security token matches an actual customer, and that the customer can access the server resources. Storefront 365 starter site does not by default honour if the customer entity in Dynamics is blocked or not.
The security token is valid for a predefined period. The default installation of the identity provider does not implement a refresh token. A refresh token is used to recreate a new security token when the current token is out of date. This ensures that the user don’t have to enter credentials one more time.
Using identity providers also enables Single-Sign-On for the user with all services that trusts the identity provider used. All services that trusts the identity provider will accept the requests from the user since the identity provider guarantees the identity of the user. That is how one single sign on at the identity provider gives the user access to several services.
Using single-sign-on will move the account information to the identity provider used. This means that the “Forgot password” feature that is common in most web sites, will be useless since the password is stored in Facebook, Twitter, Google, or whatever identity provider that is used.
Service-to-Service Trust
Follow the instructions from Microsoft at https://community.dynamics.com/ax/b/axforretail/archive/2016/09/24/support-for-service-to-service-authentication-in-retail-server to create an application in Azure Active Directory to use between Retail Server and the Storefront 365. The information that is needed for the configuration of Retail Server and Storefront 365 Starter Site is:
- Directory ID of the Tenant. The Directory ID is available in the properties of the Active Directory in Azure Portal.
- ApplicationID of the Azure AD App. The ApplicationID is available in the overview of the app. The ApplicationID will be used in the configuration of Storefront 365 Starter Site as a ClientId.
- App Key. A Key must be created for the Azure AD App. The key must be copied and used in the configuration of Storefront 365 Starter Site as a SecretKey. The Key is only available in Azure Portal when it is created, so be sure to copy it.