Licensing & Security B2B Commerce Security

Podcast Beta

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What role does the OWIN middleware serve in the security architecture of Configured Commerce?

It is responsible for logging API calls for security audits.

It acts as an intermediary that validates requests. (correct)

It stores user credentials for easy access.

It handles session storage for user authentication.

Which method is used to obtain a bearer access token in Configured Commerce?

generateAccessToken

getAccessToken (correct)

requestBearerToken

authenticateUser

What is checked by the custom code in the Identity Server?

Session expiry status

Username, password, and scope (correct)

User's previous login attempts

User roles and permissions

Where does the cookie authentication middleware operate in the security process?

During the request validation in the OWIN workflows. Signup and view all the answers

What must be set to true in appSettings.config if the Identity Server is disabled?

IdentityServerSkipUrlValidation Signup and view all the answers

What is the purpose of the interceptor in sending a bearer token?

To attach the bearer token to every request. Signup and view all the answers

What does 'grant_type=password' signify in the process of obtaining a bearer token?

Indicates password-based authentication. Signup and view all the answers

Which aspect of the architecture does the Session service handle?

Providing a bearer access token for requests. Signup and view all the answers

What is the purpose of the certificate used by the Identity server?

To sign authentication tokens. Signup and view all the answers

Which command parameter is used to set the expiration date for the self-signed certificate?

-e Signup and view all the answers

Where should the Personal Information Exchange (.pfx) files be stored after export?

~/App_Data/insiteidentity.pfx Signup and view all the answers

What is required to enable Facebook authentication?

Toggling the Allow Sign in with Facebook Account setting to YES. Signup and view all the answers

Which of the following is NOT required for Google authentication?

Google API Key Signup and view all the answers

Which toggle settings manage Windows account access in the application?

Use Windows Sign In on Storefront and Admin Console Signup and view all the answers

What does the Windows Metadata URL setting store?

The metadata needed for WsFederation. Signup and view all the answers

Which parameter in the batch command designates the key size for the certificate?

-len Signup and view all the answers

Study Notes

Configured Commerce Security Architecture

Authentication Workflow: Configured Commerce uses Identity Server and OWIN middleware to handle user authentication for platform access.
Session Service: The Session service provides the getAccessToken method, which generates a bearer access token for subsequent requests.
OWIN Middleware: OWIN middleware sits between the Optimizely API and IIS, validating all requests. It uses an Identity Server Token Authentication OWIN middleware to check and validate the bearer token in the request header.
Cookie Authentication: Cookie authentication middleware is also used within the OWIN workflow.
Bearer Token Retrieving: To retrieve a bearer token in an Angular application, call the getAccessToken method defined in insite.session.service.ts.
Bearer Token Sending: The bearer token fetched from the server is attached to every subsequent request to the website through an interceptor.
Configuration: All security-related settings need to be configured in the appSettings.config file:
- IdentityServerUrl: Specifies the URL of the identity server, defaulting to websiteurl/identity.
- IdentityServerCertificatePassword: The password for the client certificate.
- IdentityServerSkipUrlValidation: Set to true if Identity Server is disabled.
Certificate Signing: Identity Server utilizes certificates to sign authentication tokens. This certificate, separate from the website's SSL certificate, can be self-signed and is configured using the SigningCertificate property within IdentityServerOptions.

Certificate Creation: Use the provided batch command to create a self-signed certificate:

makecert -r -pe -n "CN=insiteidentity" -b 01/01/2020 -e 01/01/2023 -eku 1.3.6.1.5.5.7.3.3 -sky signature -a sha256 -len 2048 -ss my -sr LocalMachine

Certificate Export: Once installed, export the Personal Information Exchange (.pfx) file from the certificate store and save it to @"~\App_Data\insiteidentity.pfx.".
External Authentication: Configured Commerce supports out-of-the-box logins for Windows, Google, and Facebook.
Facebook Authentication: Enable by setting the Allow Sign in with Facebook Account setting to "YES." Credentials for Facebook integration are stored in the configuration as:
- Facebook App ID
- Facebook App Secret
Google Authentication: Enable by setting the Allow Sign in with Google Account setting to "YES". Credentials for Google integration are stored in the configuration as:
- Google Client ID
- Google Client Secret
Windows Authentication: Enable by setting the Allow Sign in with Windows Account setting to "YES." Additional settings control Windows login behavior:
- Use Windows Sign In on Storefront: Enables or disables Windows login on the Storefront.
- Use Windows Sign In on Admin Console: Enables or disables Windows login on the Admin Console.
- Windows Metadata URL: Contains the address to retrieve WsFederation metadata.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

This quiz covers the security architecture of Configured Commerce, emphasizing its authentication workflow using Identity Server and OWIN middleware. You'll explore how bearer tokens are generated and sent in Angular applications, alongside the role of cookie authentication in the OWIN workflow. Test your understanding of these crucial concepts in modern web security.