fabric Identity manages authentication and authorization of all of fabric's commerce platform APIs. Before invoking any fabric API (PIM, OMS, Offers, etc.), API clients are required to authenticate with fabric Identity and get an access token. All commerce platform API requests must include this access token. These APIs check the access token for associated policies and permissions before allowing access to a specific merchant's data.
In addition, application developers can use fabric Identity to implement user login and account management for their individual applications. In these scenarios, fabric Identity provides features to quickly implement login flows within applications.
Every API client needing access to fabric platform APIs must create an application (also referred to here as an app) representing itself within fabric Identity. You can create two types of apps depending on 'how' and 'for whom' the app gets the access tokens.
Create a userapp if the API client is an end-user application is using fabric Identity to authenticate its end users. This is suitable for use cases where the application developers want to use fabric Identity to build their login flows quickly and securely without implementing their own authentication and authorization systems. The access token generated in this case represents the end user (rather than the app itself) and can be used to call other fabric platform APIs. End users can be assigned roles to determine which APIs they can access. These apps can use Authorization Code Flow or Authorization Code Flow with PKCE for obtaining access tokens from fabric Identity. fabric recommends using Authorization Code Flow with PKCE whenever possible.
Create a sysapp if the API client wants to authenticate itself with fabric Identity in order to get an access token. This access token is for the app itself and can be used to call other fabric's platform APIs. The sysapp can be assigned a role to determine which APIs it can access. These apps use Client Credential Grant Type to obtain access tokens. Additionally, the sysapp can also be used to create applications with end users, such as ecommerce portals, if the app development team chooses to use an identity solution other than fabric Identity for their end-user login needs.
When using userapps, application developers can benefit from additional features offered by fabric Identity:
- A hosted login page that can be easily customized for branding, themes, and web/mobile experiences
- Support for social logins on all major social platforms
- Customized user account management emails (welcome emails, forgot password etc.)
- Support for implementing user SSO across multiple applications
- Role-based access user control
- Multi-factor authentication and custom password policies
The previous identity solution (Identity v1) provided a simple approach to securing access to fabric's commerce APIs and merchants' data. v1 provided APIs for generating access tokens and using them when invoking other fabric APIs. The access tokens generated in v1 were merchant specific, making it difficult for storefront and third-party developers to implement advanced use cases using fabric APIs, such as user SSO for multi-channel access, B2B storefront, etc.
Identity v1 is now deprecated and is superseded by Identity v2, which is based on industry standard protocols allowing easy implementation of identity use cases for all commerce applications. fabric APIs continue to support access tokens generated from both v1 and v2, allowing time for existing API clients to migrate to the new Identity v2 solution.