@spree/docs 0.1.93 → 0.1.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/dist/api-reference/admin-api/authentication.md +8 -7
  2. package/dist/api-reference/admin-api/endpoints.md +348 -0
  3. package/dist/api-reference/admin-api/errors.md +2 -0
  4. package/dist/api-reference/admin-api/introduction.md +11 -0
  5. package/dist/api-reference/store.yaml +243 -232
  6. package/dist/developer/agentic/overview.md +1 -1
  7. package/dist/developer/cli/admin-api.md +146 -0
  8. package/dist/developer/cli/quickstart.md +40 -5
  9. package/dist/developer/core-concepts/addresses.md +32 -16
  10. package/dist/developer/core-concepts/adjustments.md +11 -5
  11. package/dist/developer/core-concepts/architecture.md +8 -8
  12. package/dist/developer/core-concepts/calculators.md +31 -51
  13. package/dist/developer/core-concepts/channels.md +13 -6
  14. package/dist/developer/core-concepts/customers.md +47 -23
  15. package/dist/developer/core-concepts/events.md +22 -17
  16. package/dist/developer/core-concepts/imports-exports.md +69 -14
  17. package/dist/developer/core-concepts/inventory.md +79 -1
  18. package/dist/developer/core-concepts/markets.md +64 -20
  19. package/dist/developer/core-concepts/media.md +43 -6
  20. package/dist/developer/core-concepts/metafields.md +76 -13
  21. package/dist/developer/core-concepts/orders.md +95 -17
  22. package/dist/developer/core-concepts/payments.md +14 -13
  23. package/dist/developer/core-concepts/pricing.md +95 -9
  24. package/dist/developer/core-concepts/products.md +192 -26
  25. package/dist/developer/core-concepts/promotions.md +61 -4
  26. package/dist/developer/core-concepts/reports.md +4 -2
  27. package/dist/developer/core-concepts/search-filtering.md +82 -32
  28. package/dist/developer/core-concepts/shipments.md +16 -13
  29. package/dist/developer/core-concepts/slugs.md +20 -11
  30. package/dist/developer/core-concepts/staff-roles.md +51 -1
  31. package/dist/developer/core-concepts/store-credits-gift-cards.md +90 -9
  32. package/dist/developer/core-concepts/stores.md +16 -14
  33. package/dist/developer/core-concepts/taxes.md +28 -0
  34. package/dist/developer/core-concepts/translations.md +16 -7
  35. package/dist/developer/core-concepts/users.md +13 -9
  36. package/dist/developer/core-concepts/webhooks.md +95 -64
  37. package/dist/developer/how-to/custom-api-authentication.md +103 -23
  38. package/dist/developer/multi-store/quickstart.md +1 -1
  39. package/dist/developer/sdk/admin/authentication.md +1 -1
  40. package/dist/developer/sdk/admin/resources.md +2 -0
  41. package/dist/developer/upgrades/5.3-to-5.4.md +1 -1
  42. package/dist/developer/upgrades/5.4-to-5.5.md +1 -1
  43. package/dist/integrations/integrations.md +0 -7
  44. package/package.json +1 -1
  45. package/dist/integrations/sso-mfa-social-login/admin-dashboard.md +0 -57
  46. package/dist/integrations/sso-mfa-social-login/storefront.md +0 -56
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  title: Integrate a Third-Party Identity Provider
3
- description: Step-by-step guide to plugging a custom identity provider (Auth0, Okta, Firebase, Cognito, or any JWT issuer) into the Spree Store API.
3
+ description: Step-by-step guide to plugging a custom identity provider (Auth0, Okta, Firebase, Cognito, or any JWT issuer) into the Spree Store and Admin APIs.
4
4
  ---
5
5
 
6
6
  import { Since } from '/snippets/since.mdx';
@@ -8,19 +8,35 @@ import { Since } from '/snippets/since.mdx';
8
8
 
9
9
  ## Overview
10
10
 
11
- Spree's Store API ships with a pluggable authentication system. You register a **strategy class** for a named provider, and the existing login endpoints will dispatch to it — no controller patching, no route overrides, no fork.
11
+ Both Spree APIs — the customer-facing **Store API** and the back-office **Admin API** — ship with the same pluggable authentication system. You register a **strategy class** for a named provider, and the existing login endpoints dispatch to it — no controller patching, no route overrides, no fork.
12
12
 
13
13
  By the end of this guide you'll have:
14
14
 
15
15
  - A custom strategy that verifies a third-party JWT against a JWKS endpoint
16
16
  - A user account auto-provisioned on first login, reused on subsequent logins
17
17
  - A standard **Spree-issued JWT + refresh token** returned to the client
18
- - All Store API endpoints (cart, checkout, account) protected by Spree's own JWT — the third-party token is only used at the exchange step
18
+ - Every API endpoint protected by Spree's own JWT — the third-party token is only used at the login exchange step
19
19
 
20
- > **INFO:** The same pattern works for Admin API integrations via `admin_authentication_strategies`. Examples in this guide target the Store API; substitute `Spree.admin_user_class` and the admin endpoints where noted.
20
+ ### Store vs Admin what changes
21
+
22
+ The mechanism is identical for both surfaces. A strategy you write works on either side; only the registry you add it to (and a handful of surface-specific details) differ:
23
+
24
+ | | Store API (customers) | Admin API (staff) |
25
+ |---|---|---|
26
+ | Registry | `Spree.store_authentication_strategies` | `Spree.admin_authentication_strategies` |
27
+ | User class | `Spree.user_class` | `Spree.admin_user_class` |
28
+ | Login endpoint | `POST /api/v3/store/auth/login` | `POST /api/v3/admin/auth/login` |
29
+ | Refresh endpoint | `POST /api/v3/store/auth/refresh` | `POST /api/v3/admin/auth/refresh` |
30
+ | JWT audience | `aud: store_api` | `aud: admin_api` |
31
+ | Refresh token delivery | returned in the response body | set as an `HttpOnly` cookie |
32
+ | Strategy base class | `Spree::Authentication::Strategies::BaseStrategy` | *(same)* |
33
+
34
+ Everything else — the strategy class you write, the `BaseStrategy` helpers, JWT verification, account provisioning, account linking — is the same. The walkthrough below uses the Store API; each step calls out the one-line Admin swap.
21
35
 
22
36
  ## Architecture
23
37
 
38
+ The flow below uses the Store API; the Admin API is identical with `admin` in the path and `aud: admin_api` on the issued JWT.
39
+
24
40
  ```
25
41
  Client → POST /api/v3/store/auth/login
26
42
  { provider: "my_idp", token: "<third-party JWT>" }
@@ -127,15 +143,33 @@ end
127
143
 
128
144
  ## Step 2: Register the Strategy
129
145
 
130
- Add the strategy to `Spree.store_authentication_strategies` in an initializer. The key you choose here is what clients will send as `provider` in the login payload.
146
+ Add the strategy to a registry in an initializer. **This is the only line that decides which API the provider serves** — `store_authentication_strategies` for customer login, `admin_authentication_strategies` for staff login. Register with both to allow the same provider on either surface. The key you choose here is what clients send as `provider` in the login payload.
131
147
 
132
- ```ruby config/initializers/spree.rb
148
+
149
+ ```ruby Store API
150
+ # config/initializers/spree.rb
133
151
  Rails.application.config.after_initialize do
134
152
  Spree.store_authentication_strategies.add(:external_idp, MyApp::Auth::ExternalJwtStrategy)
135
153
  end
136
154
  ```
137
155
 
138
- `Spree.store_authentication_strategies` is a `Spree::Authentication::StrategyRegistry`. The full API:
156
+ ```ruby Admin API
157
+ # config/initializers/spree.rb
158
+ Rails.application.config.after_initialize do
159
+ Spree.admin_authentication_strategies.add(:okta, MyApp::Auth::OktaStrategy)
160
+ end
161
+ ```
162
+
163
+ ```ruby Both
164
+ # config/initializers/spree.rb
165
+ Rails.application.config.after_initialize do
166
+ Spree.store_authentication_strategies.add(:external_idp, MyApp::Auth::ExternalJwtStrategy)
167
+ Spree.admin_authentication_strategies.add(:external_idp, MyApp::Auth::ExternalJwtStrategy)
168
+ end
169
+ ```
170
+
171
+
172
+ Both registries are a `Spree::Authentication::StrategyRegistry` with the same API:
139
173
 
140
174
  | Method | Purpose |
141
175
  |---|---|
@@ -144,19 +178,18 @@ end
144
178
  | `[key]` | Look up a registered class. |
145
179
  | `key?(key)`, `keys`, `values`, `each`, `to_h` | Standard introspection. |
146
180
 
147
- > **WARNING:** `Spree::UserIdentity` validates that `provider` is a registered strategy key. Registration must happen during boot before the first login attempt.
181
+ The strategy is instantiated with the surface's user class automatically — `Spree.user_class` from the store registry, `Spree.admin_user_class` from the admin registry and your `authenticate` reads it via the `user_class` helper, so the same class provisions customers on one side and staff on the other.
148
182
 
149
- For an admin-side equivalent, register under `Spree.admin_authentication_strategies` instead and instantiate your strategy against `Spree.admin_user_class`:
183
+ > **TIP:** Restrict a surface to SSO by removing the built-in email/password strategy after adding yours: `Spree.admin_authentication_strategies.remove(:email)` locks staff to your provider; the store side stays on email/password.
150
184
 
151
- ```ruby
152
- Spree.admin_authentication_strategies.add(:okta, MyApp::Auth::OktaStrategy)
153
- ```
185
+ > **WARNING:** `Spree::UserIdentity` validates that `provider` is a registered strategy key. Registration must happen during boot — before the first login attempt.
154
186
 
155
187
  ## Step 3: Call the Exchange Endpoint
156
188
 
157
- `POST /api/v3/store/auth/login` is the single dispatcher. The `provider` field in the body selects the strategy — omit it for built-in email/password, set it to your registered key for everything else. The remaining body fields are whatever your strategy reads from `params`.
189
+ The login endpoint is the single dispatcher — `/api/v3/store/auth/login` for customers, `/api/v3/admin/auth/login` for staff. The `provider` field in the body selects the strategy — omit it for built-in email/password, set it to your registered key for everything else. The remaining body fields are whatever your strategy reads from `params`.
158
190
 
159
- ```http
191
+
192
+ ```http Store API
160
193
  POST /api/v3/store/auth/login
161
194
  X-Spree-API-Key: pk_your_publishable_key
162
195
  Content-Type: application/json
@@ -167,21 +200,45 @@ Content-Type: application/json
167
200
  }
168
201
  ```
169
202
 
170
- The response is the standard Spree auth payload:
203
+ ```http Admin API
204
+ POST /api/v3/admin/auth/login
205
+ X-Spree-API-Key: sk_your_secret_key
206
+ Content-Type: application/json
207
+
208
+ {
209
+ "provider": "okta",
210
+ "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
211
+ }
212
+ ```
213
+
214
+
215
+ The response is the standard Spree auth payload. The difference is the refresh token: the **Store API returns it in the body**, while the **Admin API sets it as an `HttpOnly` cookie** scoped to `/api/v3/admin/auth` and omits it from the body.
216
+
171
217
 
172
- ```json
218
+ ```json Store API
173
219
  {
174
220
  "token": "<Spree HS256 JWT, aud=store_api>",
175
221
  "refresh_token": "rt_xxxxxxxxxxxx",
176
- "user": { "id": "user_...", "email": "...", "first_name": "...", "...": "..." }
222
+ "user": { "id": "user_...", "email": "...", "...": "..." }
177
223
  }
178
224
  ```
179
225
 
180
- From here, the client sends `Authorization: Bearer <Spree JWT>` on every subsequent Store API call. When the JWT expires (default: 1 hour), the client hits `POST /api/v3/store/auth/refresh` with the refresh token to rotate both.
226
+ ```json Admin API
227
+ {
228
+ "token": "<Spree HS256 JWT, aud=admin_api>",
229
+ "user": { "id": "user_...", "email": "...", "...": "..." }
230
+ }
231
+ ```
181
232
 
182
- From `@spree/sdk` the same call looks like:
233
+ The refresh token arrives as a `Set-Cookie: spree_admin_refresh_token=…; HttpOnly; Path=/api/v3/admin/auth` response header rather than in the body.
183
234
 
184
- ```ts
235
+
236
+ From here, the client sends `Authorization: Bearer <Spree JWT>` on every subsequent call. When the JWT expires (default: 1 hour), it rotates via the refresh endpoint — the Store API takes the refresh token in the body of `POST /api/v3/store/auth/refresh`; the Admin API drives `POST /api/v3/admin/auth/refresh` entirely from the cookie (see [Admin Auth & Cookie Refresh](../../api-reference/admin-api/authentication.md)).
237
+
238
+ The SDKs wrap the same exchange — `@spree/sdk` for the Store API, `@spree/admin-sdk` for the Admin API:
239
+
240
+
241
+ ```ts Store SDK
185
242
  import { createClient } from '@spree/sdk'
186
243
 
187
244
  const client = createClient({ baseUrl: 'https://your-store.com', publishableKey: '<pk>' })
@@ -192,6 +249,19 @@ const auth = await client.auth.login({
192
249
  })
193
250
  ```
194
251
 
252
+ ```ts Admin SDK
253
+ import { createAdminClient } from '@spree/admin-sdk'
254
+
255
+ const client = createAdminClient({ baseUrl: 'https://your-store.com' })
256
+
257
+ // Refresh token lands in the HttpOnly cookie; only the access token comes back here.
258
+ const auth = await client.auth.login({
259
+ provider: 'okta',
260
+ token: thirdPartyJwt,
261
+ })
262
+ ```
263
+
264
+
195
265
  `LoginCredentials` is a discriminated union — pass `{ email, password }` for the built-in strategy, or `{ provider, ...customFields }` for any strategy you registered.
196
266
 
197
267
  ## Account Linking
@@ -225,20 +295,29 @@ end
225
295
 
226
296
  ## Logout
227
297
 
228
- ```http
298
+
299
+ ```http Store API
229
300
  POST /api/v3/store/auth/logout
230
301
  Content-Type: application/json
231
302
 
232
303
  { "refresh_token": "rt_xxxxxxxxxxxx" }
233
304
  ```
234
305
 
306
+ ```http Admin API
307
+ POST /api/v3/admin/auth/logout
308
+ Content-Type: application/json
309
+
310
+ # No body — the refresh token is read from the HttpOnly cookie and cleared.
311
+ ```
312
+
313
+
235
314
  This revokes the Spree refresh token. The Spree JWT itself remains valid until it expires naturally (short-lived by design — default 1 hour). Spree does **not** call the IdP's revocation endpoint; if you need single sign-out, do that from the client.
236
315
 
237
316
  ## Security Notes
238
317
 
239
318
  A few things worth getting right:
240
319
 
241
- - **Don't try to pass the third-party JWT through to protected endpoints.** Spree's `JwtAuthentication` concern verifies `iss: 'spree'` and `aud: 'store_api'` with HS256 against the Spree secret — a foreign RS256 token will never validate, and you don't want it to. The exchange-at-login model is the right one.
320
+ - **Don't try to pass the third-party JWT through to protected endpoints.** Spree's `JwtAuthentication` concern verifies `iss: 'spree'` and the expected audience (`store_api` or `admin_api`) with HS256 against the Spree secret — a foreign RS256 token will never validate, and you don't want it to. The exchange-at-login model is the right one.
242
321
  - **JWKS caching and rotation.** Cache the JWKS (the example uses a 1-hour TTL) but make sure your loader honors the `invalidate: true` option so that an unrecognized `kid` triggers a refetch. Otherwise key rotation at the IdP locks users out for up to the TTL.
243
322
  - **Validate `iss` and `aud` claims.** Always. The example passes `verify_iss: true, verify_aud: true` to `JWT.decode` — don't drop those.
244
323
  - **Algorithm pinning.** Hard-code `algorithms: ['RS256']` (or whatever your IdP uses). Never let the token's own `alg` header decide — the classic `alg: none` and HS-as-RS confusion attacks both exploit lax algorithm selection.
@@ -297,5 +376,6 @@ end
297
376
  - `Spree::Authentication::Strategies::BaseStrategy` — `spree/core/app/models/spree/authentication/strategies/base_strategy.rb`
298
377
  - `Spree::UserIdentity` — `spree/core/app/models/spree/user_identity.rb`
299
378
  - `Spree::Api::V3::Store::AuthController` — `spree/api/app/controllers/spree/api/v3/store/auth_controller.rb`
379
+ - `Spree::Api::V3::Admin::AuthController` — `spree/api/app/controllers/spree/api/v3/admin/auth_controller.rb`
300
380
  - `Spree::Api::V3::JwtAuthentication` — `spree/api/app/controllers/concerns/spree/api/v3/jwt_authentication.rb`
301
- - See also: [Authentication](../customization/authentication.md) for `Spree.user_class` integration.
381
+ - See also: [Staff & Roles](../core-concepts/staff-roles.md) for the admin login flow, [Customers](../core-concepts/customers.md) for storefront auth, and [Authentication](../customization/authentication.md) for `Spree.user_class` integration.
@@ -4,7 +4,7 @@ sidebarTitle: Quickstart
4
4
  description: Enable multiple storefronts on a single Spree app with the spree_multi_store gem, including per-store products, payment methods, taxonomies, and promotions.
5
5
  ---
6
6
 
7
- To enable multiple stores, you will need to add the `spree_multi_store` gem to your project via:
7
+ To enable multiple stores, you will need to add the [spree_multi_store](quickstart.md) gem to your project via:
8
8
 
9
9
 
10
10
  ```bash Spree CLI (Docker)
@@ -78,7 +78,7 @@ try {
78
78
 
79
79
  ### Identity providers
80
80
 
81
- `auth.login()` also accepts third-party identity-provider payloads when the server has a matching strategy registered in `Spree.store_authentication_strategies`:
81
+ `auth.login()` also accepts third-party identity-provider payloads when the server has a [matching strategy registered](../../how-to/custom-api-authentication.md):
82
82
 
83
83
  ```typescript
84
84
  const { token } = await client.auth.login({ provider: 'auth0', token: idpJwt })
@@ -6,6 +6,8 @@ description: "Reference for every @spree/admin-sdk resource — products, orders
6
6
 
7
7
  Every Admin API resource is exposed as a property on the client (`client.orders`, `client.products`, …). Collection resources follow a consistent CRUD shape — `list`, `get`, `create`, `update`, `delete` — plus resource-specific actions. Nested resources take the **parent ID as the first argument**:
8
8
 
9
+ For the underlying HTTP surface — every endpoint with the API key scope it requires — see the [Admin API endpoint index](../../../api-reference/admin-api/endpoints.md).
10
+
9
11
  ```typescript
10
12
  // Top-level
11
13
  const order = await client.orders.get('order_xxx')
@@ -254,7 +254,7 @@ And run `bundle install`
254
254
 
255
255
  ### (Optional) Install Spree Multi Store
256
256
 
257
- [Multi-store](../multi-store/quickstart.md) features like multiple store management & custom domains were moved to a separate gem `spree_multi_store`.
257
+ [Multi-store](../multi-store/quickstart.md) features like multiple store management & custom domains were moved to a separate gem [spree_multi_store](../multi-store/quickstart.md).
258
258
 
259
259
  If you rely on these features please run:
260
260
 
@@ -122,7 +122,7 @@ This is a no-op on the default Database provider (there is no external index to
122
122
 
123
123
  #### Multi-store catalogs
124
124
 
125
- If you have products attached to multiple stores via the legacy `spree_products_stores` join, the `populate_publications` task picks **one** "home" store per product and creates publications on every store's default channel. The `spree_products_stores` table is **kept** as legacy compat surface — the upcoming `spree_multi_store` extension restores the full `Product has_many :stores` association on top of it.
125
+ If you have products attached to multiple stores via the legacy `spree_products_stores` join, the `populate_publications` task picks **one** "home" store per product and creates publications on every store's default channel. The `spree_products_stores` table is **kept** as legacy compat surface — the upcoming [spree_multi_store](../multi-store/quickstart.md) extension restores the full `Product has_many :stores` association on top of it.
126
126
 
127
127
  For single-store deployments this is invisible; you can move on without touching `spree_products_stores` again.
128
128
 
@@ -36,10 +36,3 @@ description: "Browse Spree's third-party integrations for payments, shipping, ta
36
36
 
37
37
 
38
38
  - [Klaviyo](marketing/klaviyo.md) — Klaviyo is a marketing automation platform that allows you to send email campaigns to your customers.
39
-
40
-
41
- ## SSO, MFA & Social Login
42
-
43
-
44
- - [Admin Panel SSO & MFA](sso-mfa-social-login/admin-dashboard.md) — Learn how to secure your Spree admin panel with SSO and MFA integration, using Microsoft Entra ID as an example.
45
- - [Storefront SSO & Social Login](sso-mfa-social-login/storefront.md) — Enable customer-facing SSO and social login on your Spree storefront, using Microsoft Entra External ID as an example.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@spree/docs",
3
- "version": "0.1.93",
3
+ "version": "0.1.94",
4
4
  "description": "Spree Commerce developer documentation for AI agents and local reference",
5
5
  "type": "module",
6
6
  "license": "CC-BY-4.0",
@@ -1,57 +0,0 @@
1
- ---
2
- title: "SSO and MFA for the Admin Panel"
3
- sidebarTitle: "Admin SSO & MFA"
4
- description: "Learn how to secure your Spree admin panel with SSO and MFA integration, using Microsoft Entra ID as an example."
5
- ---
6
-
7
- Enterprise businesses require **Single Sign-On (SSO)** and **Multi-Factor Authentication (MFA)** to secure sensitive operations, maintain compliance, and simplify IT administration. For Spree Commerce, the **admin panel** is the heart of your business operations, which means securing access here is critical.
8
-
9
- ## SSO providers
10
-
11
- There are many popular SSO providers, such as **Microsoft Entra ID**, **Okta**, **Ping Identity**, and **OneLogin**. Each provider may also offer multiple services under its ecosystem.
12
-
13
- For example, Microsoft’s SSO ecosystem includes:
14
-
15
- - **Entra ID (previously Azure Active Directory)** → secures your **Spree Commerce admin panel** for workforce users.
16
- - **Entra External ID (previously Active Directory B2C)** → secures your **Spree storefront** for customer-facing apps, with support for social logins like Google and Facebook.
17
-
18
- > **NOTE:** For the purposes of this article, we are using **Microsoft** as the example provider.
19
-
20
- ## Why integrate SSO with MFA for the Admin Panel
21
-
22
- - **Used by staff, merchants, and operators**
23
- - **Integration with Entra ID** ensures employees can log in using their corporate credentials
24
- - Benefits include:
25
- - Higher security
26
- - Regulatory compliance (SOC2, HIPAA, GDPR)
27
- - Simplified IT administration
28
- - Better user experience with SSO
29
- - With Microsoft solutions, you can also enable **Multi-Factor Authentication (MFA)** or **passwordless options** (Windows Hello, FIDO2 keys) to further strengthen access security
30
-
31
- ## Get Started with SSO and MFA
32
-
33
- Each SSO integration needs to be scoped individually. The integration plan depends on multiple factors, such as:
34
-
35
- - **Required SSO provider**
36
- - Decide whether you’ll use Microsoft Entra ID, Okta, Ping Identity, OneLogin, or another vendor. Each provider offers different features, protocols, and integration options.
37
- - **SSO provider settings**
38
- - Each provider has unique configuration details, such as OAuth endpoints, certificates, tenant IDs, and federation settings. You’ll need to gather these to complete integration.
39
- - **Existing or planned Spree customizations**
40
- - Custom authentication flows, extended user models, or unique admin permissions may affect how SSO is integrated. These should be reviewed before implementation.
41
- - **Spree version**
42
- - Compatibility matters. Integration strategies can differ depending on whether you’re on the latest Spree release.
43
- - **Use case: single tenant vs. multi-tenant**
44
- - Single-tenant stores usually need straightforward workforce SSO. Multi-tenant or SaaS-style deployments may require isolated tenant directories and more complex provisioning.
45
- - **Identity governance requirements** (role-based access, just-in-time provisioning)
46
- - **User lifecycle management** (provisioning/de-provisioning)
47
- - **Security posture** (MFA enforcement, conditional access, passwordless policies)
48
- - **Compliance certifications required** (ISO, SOC2, HIPAA, PCI DSS)
49
- - **Traffic scale and performance** (concurrent users, global access, load balancing)
50
- - **Disaster recovery and redundancy** (failover strategies)
51
- - **Integration with third-party services** (analytics, CDPs, data warehouses)
52
-
53
- > **INFO:** Let's get in touch so we can scope your requirements and deliver this important integration for your project.
54
-
55
-
56
- - [Book a Call](https://getvendo.com/book-a-demo/) — Schedule a call to explore the options and get your questions answered
57
- - [Ask a Question](https://spreecommerce.org/get-started/) — Send us a message and share your thoughts
@@ -1,56 +0,0 @@
1
- ---
2
- title: "SSO and Social Login for the Storefront"
3
- sidebarTitle: "Storefront SSO & Social Login"
4
- description: "Enable customer-facing SSO and social login on your Spree storefront, using Microsoft Entra External ID as an example."
5
- ---
6
-
7
- Enterprise businesses benefit from offering **customer-facing SSO and social login** because it streamlines the shopping experience and improves conversions. Customers prefer using accounts they already trust instead of creating new ones.
8
-
9
- ## SSO providers
10
-
11
- There are many popular SSO providers, such as **Microsoft Entra External ID**, **Auth0**, **Okta**, and **Ping Identity**. Each provider may offer several services with different target use cases.
12
-
13
- For example, Microsoft’s SSO ecosystem includes:
14
-
15
- - **Entra ID (previously Azure Active Directory)** → secures your **Spree Commerce admin panel** for workforce users.
16
- - **Entra External ID (previously Active Directory B2C)** → secures your **Spree storefront** for customer-facing apps, with support for social logins like Google and Facebook.
17
-
18
- > **NOTE:** For the purposes of this article, we are using **Microsoft** as the example provider.
19
-
20
- ## Why integrate SSO and Social Login for the Storefront
21
-
22
- - **Used by shoppers**
23
- - Integration with **Entra External ID (B2C)** or other customer identity providers enables frictionless sign-ups and sign-ins
24
- - Benefits include:
25
- - Reduced cart abandonment
26
- - Faster checkout
27
- - Higher conversion rates
28
- - Supports **social login options**: Google, Facebook, Amazon, Apple ID, Microsoft
29
-
30
- ## Get Started with SSO and Social Login
31
-
32
- Each storefront integration must be scoped individually. Consider the following:
33
-
34
- - **Required SSO provider**
35
- - Choose from Microsoft Entra External ID, Auth0, Okta, Ping Identity, or others. Your decision depends on features, ecosystem compatibility, and scalability needs.
36
- - **SSO provider settings, including identity providers**
37
- - Each SSO platform has unique configuration settings (OAuth endpoints, certificates, client IDs). If you want to enable social logins, you’ll also need to configure providers like Google, Facebook, or Apple.
38
- - **Scope: social login only vs. SSO + social login**
39
- - Decide whether you only want to add social login on top of Spree’s existing authentication or fully replace it with a unified SSO + social login solution.
40
- - **Existing or planned Spree customizations**
41
- - Customized signup flows, checkout flows, or customer segmentation logic may impact integration design. These need to be factored in during scoping.
42
- - **Spree version**
43
- - Ensure compatibility with your Spree version. Older projects may need adjustments to take advantage of newer identity management features.
44
- - **Identity governance requirements** (segmentation, customer role-based access)
45
- - **User lifecycle management** (account creation, deactivation, syncing)
46
- - **Security posture** (MFA for customers, adaptive login, fraud detection)
47
- - **Compliance certifications required** (GDPR, CCPA, PCI DSS)
48
- - **Traffic scale and performance** (millions of customer accounts, peak season load)
49
- - **Disaster recovery and redundancy** (failover, global availability zones)
50
- - **Integration with third-party services** (marketing automation, CDPs, analytics, loyalty programs)
51
-
52
- > **INFO:** Let's get in touch so we can scope your requirements and deliver this important integration for your project.
53
-
54
-
55
- - [Book a Call](https://getvendo.com/book-a-demo/) — Schedule a call to explore the options and get your questions answered
56
- - [Ask a Question](https://spreecommerce.org/get-started/) — Send us a message and share your thoughts