Podcast
Questions and Answers
What is the primary purpose of the certificate described in the content?
What is the primary purpose of the certificate described in the content?
Which command parameter is used to set the expiration date of the self-signed certificate?
Which command parameter is used to set the expiration date of the self-signed certificate?
Where should the exported Personal Information Exchange (.pfx) file be stored?
Where should the exported Personal Information Exchange (.pfx) file be stored?
Which authentication method requires the 'Allow Sign in with Facebook Account' setting to be enabled?
Which authentication method requires the 'Allow Sign in with Facebook Account' setting to be enabled?
Signup and view all the answers
What is the purpose of the Windows Metadata URL setting?
What is the purpose of the Windows Metadata URL setting?
Signup and view all the answers
Which of the following is NOT a supported external authentication method mentioned?
Which of the following is NOT a supported external authentication method mentioned?
Signup and view all the answers
What property is used to set the signing certificate in IdentityServerOptions?
What property is used to set the signing certificate in IdentityServerOptions?
Signup and view all the answers
What information do you need to connect to Google for authentication?
What information do you need to connect to Google for authentication?
Signup and view all the answers
What does the getAccessToken method in the Session service provide?
What does the getAccessToken method in the Session service provide?
Signup and view all the answers
What role does the OWIN middleware play in the security architecture?
What role does the OWIN middleware play in the security architecture?
Signup and view all the answers
Which line of code correctly demonstrates how user credentials are configured in the getAccessToken method?
Which line of code correctly demonstrates how user credentials are configured in the getAccessToken method?
Signup and view all the answers
What is the purpose of the bearer token once it is issued to the client?
What is the purpose of the bearer token once it is issued to the client?
Signup and view all the answers
Where does cookie authentication middleware take place in the security architecture?
Where does cookie authentication middleware take place in the security architecture?
Signup and view all the answers
What is one necessity for the IdentityServerSkipUrlValidation setting in the appSettings.config file?
What is one necessity for the IdentityServerSkipUrlValidation setting in the appSettings.config file?
Signup and view all the answers
What must be included in the headers when obtaining a bearer token in the getAccessToken method?
What must be included in the headers when obtaining a bearer token in the getAccessToken method?
Signup and view all the answers
Which of the following is NOT part of the credentials sent during the token request?
Which of the following is NOT part of the credentials sent during the token request?
Signup and view all the answers
Study Notes
Configured Commerce Security Architecture
- Configured Commerce uses Identity Server and OWIN middleware to authenticate requests.
- Identity Server validates username, password, and scope.
- OWIN middleware sits between the Optimizely API and IIS, validating requests and using Identity Server token authentication to validate the bearer token.
- Cookie authentication middleware takes place within IIS's OWIN workflows.
Obtaining a Bearer Token
- The
getAccessToken
method ininsite.session.service.ts
retrieves a bearer token using a specified username and password. - The method sends a POST request to the token URI with encoded credentials and scope information.
- The request includes a base64 encoded authorization header.
Sending a Bearer Token
- The bearer token is attached to every request to the website by an interceptor.
- The implementation for this can be found in
insite.authenticationinterceptor.factory.ts
.
Configuring appSettings
- The following app settings are required in the
appSettings.config
file:-
IdentityServerUrl
: URL of the identity server (defaults towebsiteurl/identity
). -
IdentityServerCertificatePassword
: Password for the client certificate. -
IdentityServerSkipUrlValidation
: Set totrue
if identity server is disabled.
-
Certificate Management
- Identity server uses certificates to sign authentication tokens.
- This certificate should be self-signed and different from the website's SSL certificate.
- The certificate is set on the
IdentityServerOptions
using theSigningCertificate
property. - A self-signed certificate can be created using the
makecert
command. - Once installed, the
Personal Information Exchange (.pfx)
file should be exported and stored at@"~\App_Data\insiteidentity.pfx."
External Authentication
- Configured Commerce supports Windows, Google, and Facebook login.
Facebook Authentication
- Enabled by toggling the "Allow Sign in with Facebook Account" setting to
YES
. - Requires the following credentials:
- Facebook App ID
- Facebook App Secret
Google Authentication
- Enabled by toggling the "Allow Sign in with Google Account" setting to
YES
. - Requires the following credentials:
- Google Client ID
- Google Client Secret
Windows Authentication
- Enabled by toggling the "Allow Sign in with Windows Account" setting to
YES
. - Additional settings control storefront and admin console use:
- "Use Windows Sign In on Storefront"
- "Use Windows Sign In on Admin Console"
- The "Windows Metadata URL" setting stores the address to retrieve WsFederation metadata.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers key concepts surrounding the security architecture of Configured Commerce. Learn about the use of Identity Server and OWIN middleware for authentication, as well as how to obtain and send bearer tokens. Testing your understanding of these concepts will enhance your knowledge in modern web application security.