@spree/docs 0.1.93 → 0.1.95
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api-reference/admin-api/authentication.md +8 -7
- package/dist/api-reference/admin-api/endpoints.md +348 -0
- package/dist/api-reference/admin-api/errors.md +2 -0
- package/dist/api-reference/admin-api/introduction.md +11 -0
- package/dist/api-reference/store.yaml +243 -232
- package/dist/developer/agentic/overview.md +1 -1
- package/dist/developer/cli/admin-api.md +146 -0
- package/dist/developer/cli/quickstart.md +40 -5
- package/dist/developer/core-concepts/addresses.md +32 -16
- package/dist/developer/core-concepts/adjustments.md +11 -5
- package/dist/developer/core-concepts/architecture.md +8 -8
- package/dist/developer/core-concepts/calculators.md +31 -51
- package/dist/developer/core-concepts/channels.md +13 -6
- package/dist/developer/core-concepts/customers.md +47 -23
- package/dist/developer/core-concepts/events.md +22 -17
- package/dist/developer/core-concepts/imports-exports.md +69 -14
- package/dist/developer/core-concepts/inventory.md +79 -1
- package/dist/developer/core-concepts/markets.md +64 -20
- package/dist/developer/core-concepts/media.md +43 -6
- package/dist/developer/core-concepts/metafields.md +76 -13
- package/dist/developer/core-concepts/orders.md +95 -17
- package/dist/developer/core-concepts/payments.md +14 -13
- package/dist/developer/core-concepts/pricing.md +95 -9
- package/dist/developer/core-concepts/products.md +192 -26
- package/dist/developer/core-concepts/promotions.md +61 -4
- package/dist/developer/core-concepts/reports.md +4 -2
- package/dist/developer/core-concepts/search-filtering.md +82 -32
- package/dist/developer/core-concepts/shipments.md +16 -13
- package/dist/developer/core-concepts/slugs.md +20 -11
- package/dist/developer/core-concepts/staff-roles.md +51 -1
- package/dist/developer/core-concepts/store-credits-gift-cards.md +90 -9
- package/dist/developer/core-concepts/stores.md +16 -14
- package/dist/developer/core-concepts/taxes.md +28 -0
- package/dist/developer/core-concepts/translations.md +16 -7
- package/dist/developer/core-concepts/users.md +13 -9
- package/dist/developer/core-concepts/webhooks.md +95 -64
- package/dist/developer/getting-started/quickstart.md +20 -0
- package/dist/developer/how-to/custom-api-authentication.md +103 -23
- package/dist/developer/multi-store/quickstart.md +1 -1
- package/dist/developer/sdk/admin/authentication.md +1 -1
- package/dist/developer/sdk/admin/resources.md +2 -0
- package/dist/developer/upgrades/5.3-to-5.4.md +1 -1
- package/dist/developer/upgrades/5.4-to-5.5.md +1 -1
- package/dist/integrations/integrations.md +0 -7
- package/package.json +1 -1
- package/dist/integrations/sso-mfa-social-login/admin-dashboard.md +0 -57
- package/dist/integrations/sso-mfa-social-login/storefront.md +0 -56
|
@@ -73,6 +73,26 @@ Upon successful authentication, you should see the admin screen:
|
|
|
73
73
|
|
|
74
74
|
<img src="/images/spree_admin_dashboard.png" />
|
|
75
75
|
|
|
76
|
+
## Using the Spree CLI
|
|
77
|
+
|
|
78
|
+
Projects scaffolded with `create-spree-app` include [`@spree/cli`](../cli/quickstart.md) for managing the backend and calling the Admin API. Because it's a project dependency, run it with `npx` (or any package-manager script):
|
|
79
|
+
|
|
80
|
+
```bash
|
|
81
|
+
npx spree dev # boot the Docker stack
|
|
82
|
+
npx spree api get products # query the Admin API (read-only key preconfigured)
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
Project setup mints a read-only Admin API key into `.spree/credentials.json` (and `spree api` mints it on first use if you skipped setup), so `spree api` works without any extra configuration.
|
|
86
|
+
|
|
87
|
+
To call `spree` directly without the `npx` prefix, install the CLI globally:
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
npm install -g @spree/cli
|
|
91
|
+
spree api get products
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
See the [Spree CLI guide](../cli/quickstart.md) for all commands and the [Admin API from the CLI](../cli/admin-api.md) for querying your store's data.
|
|
95
|
+
|
|
76
96
|
## Next Steps
|
|
77
97
|
|
|
78
98
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
title: Integrate a Third-Party Identity Provider
|
|
3
|
-
description: Step-by-step guide to plugging a custom identity provider (Auth0, Okta, Firebase, Cognito, or any JWT issuer) into the Spree Store
|
|
3
|
+
description: Step-by-step guide to plugging a custom identity provider (Auth0, Okta, Firebase, Cognito, or any JWT issuer) into the Spree Store and Admin APIs.
|
|
4
4
|
---
|
|
5
5
|
|
|
6
6
|
import { Since } from '/snippets/since.mdx';
|
|
@@ -8,19 +8,35 @@ import { Since } from '/snippets/since.mdx';
|
|
|
8
8
|
|
|
9
9
|
## Overview
|
|
10
10
|
|
|
11
|
-
Spree
|
|
11
|
+
Both Spree APIs — the customer-facing **Store API** and the back-office **Admin API** — ship with the same pluggable authentication system. You register a **strategy class** for a named provider, and the existing login endpoints dispatch to it — no controller patching, no route overrides, no fork.
|
|
12
12
|
|
|
13
13
|
By the end of this guide you'll have:
|
|
14
14
|
|
|
15
15
|
- A custom strategy that verifies a third-party JWT against a JWKS endpoint
|
|
16
16
|
- A user account auto-provisioned on first login, reused on subsequent logins
|
|
17
17
|
- A standard **Spree-issued JWT + refresh token** returned to the client
|
|
18
|
-
-
|
|
18
|
+
- Every API endpoint protected by Spree's own JWT — the third-party token is only used at the login exchange step
|
|
19
19
|
|
|
20
|
-
|
|
20
|
+
### Store vs Admin — what changes
|
|
21
|
+
|
|
22
|
+
The mechanism is identical for both surfaces. A strategy you write works on either side; only the registry you add it to (and a handful of surface-specific details) differ:
|
|
23
|
+
|
|
24
|
+
| | Store API (customers) | Admin API (staff) |
|
|
25
|
+
|---|---|---|
|
|
26
|
+
| Registry | `Spree.store_authentication_strategies` | `Spree.admin_authentication_strategies` |
|
|
27
|
+
| User class | `Spree.user_class` | `Spree.admin_user_class` |
|
|
28
|
+
| Login endpoint | `POST /api/v3/store/auth/login` | `POST /api/v3/admin/auth/login` |
|
|
29
|
+
| Refresh endpoint | `POST /api/v3/store/auth/refresh` | `POST /api/v3/admin/auth/refresh` |
|
|
30
|
+
| JWT audience | `aud: store_api` | `aud: admin_api` |
|
|
31
|
+
| Refresh token delivery | returned in the response body | set as an `HttpOnly` cookie |
|
|
32
|
+
| Strategy base class | `Spree::Authentication::Strategies::BaseStrategy` | *(same)* |
|
|
33
|
+
|
|
34
|
+
Everything else — the strategy class you write, the `BaseStrategy` helpers, JWT verification, account provisioning, account linking — is the same. The walkthrough below uses the Store API; each step calls out the one-line Admin swap.
|
|
21
35
|
|
|
22
36
|
## Architecture
|
|
23
37
|
|
|
38
|
+
The flow below uses the Store API; the Admin API is identical with `admin` in the path and `aud: admin_api` on the issued JWT.
|
|
39
|
+
|
|
24
40
|
```
|
|
25
41
|
Client → POST /api/v3/store/auth/login
|
|
26
42
|
{ provider: "my_idp", token: "<third-party JWT>" }
|
|
@@ -127,15 +143,33 @@ end
|
|
|
127
143
|
|
|
128
144
|
## Step 2: Register the Strategy
|
|
129
145
|
|
|
130
|
-
Add the strategy to
|
|
146
|
+
Add the strategy to a registry in an initializer. **This is the only line that decides which API the provider serves** — `store_authentication_strategies` for customer login, `admin_authentication_strategies` for staff login. Register with both to allow the same provider on either surface. The key you choose here is what clients send as `provider` in the login payload.
|
|
131
147
|
|
|
132
|
-
|
|
148
|
+
|
|
149
|
+
```ruby Store API
|
|
150
|
+
# config/initializers/spree.rb
|
|
133
151
|
Rails.application.config.after_initialize do
|
|
134
152
|
Spree.store_authentication_strategies.add(:external_idp, MyApp::Auth::ExternalJwtStrategy)
|
|
135
153
|
end
|
|
136
154
|
```
|
|
137
155
|
|
|
138
|
-
|
|
156
|
+
```ruby Admin API
|
|
157
|
+
# config/initializers/spree.rb
|
|
158
|
+
Rails.application.config.after_initialize do
|
|
159
|
+
Spree.admin_authentication_strategies.add(:okta, MyApp::Auth::OktaStrategy)
|
|
160
|
+
end
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
```ruby Both
|
|
164
|
+
# config/initializers/spree.rb
|
|
165
|
+
Rails.application.config.after_initialize do
|
|
166
|
+
Spree.store_authentication_strategies.add(:external_idp, MyApp::Auth::ExternalJwtStrategy)
|
|
167
|
+
Spree.admin_authentication_strategies.add(:external_idp, MyApp::Auth::ExternalJwtStrategy)
|
|
168
|
+
end
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
|
|
172
|
+
Both registries are a `Spree::Authentication::StrategyRegistry` with the same API:
|
|
139
173
|
|
|
140
174
|
| Method | Purpose |
|
|
141
175
|
|---|---|
|
|
@@ -144,19 +178,18 @@ end
|
|
|
144
178
|
| `[key]` | Look up a registered class. |
|
|
145
179
|
| `key?(key)`, `keys`, `values`, `each`, `to_h` | Standard introspection. |
|
|
146
180
|
|
|
147
|
-
|
|
181
|
+
The strategy is instantiated with the surface's user class automatically — `Spree.user_class` from the store registry, `Spree.admin_user_class` from the admin registry — and your `authenticate` reads it via the `user_class` helper, so the same class provisions customers on one side and staff on the other.
|
|
148
182
|
|
|
149
|
-
|
|
183
|
+
> **TIP:** Restrict a surface to SSO by removing the built-in email/password strategy after adding yours: `Spree.admin_authentication_strategies.remove(:email)` locks staff to your provider; the store side stays on email/password.
|
|
150
184
|
|
|
151
|
-
|
|
152
|
-
Spree.admin_authentication_strategies.add(:okta, MyApp::Auth::OktaStrategy)
|
|
153
|
-
```
|
|
185
|
+
> **WARNING:** `Spree::UserIdentity` validates that `provider` is a registered strategy key. Registration must happen during boot — before the first login attempt.
|
|
154
186
|
|
|
155
187
|
## Step 3: Call the Exchange Endpoint
|
|
156
188
|
|
|
157
|
-
|
|
189
|
+
The login endpoint is the single dispatcher — `/api/v3/store/auth/login` for customers, `/api/v3/admin/auth/login` for staff. The `provider` field in the body selects the strategy — omit it for built-in email/password, set it to your registered key for everything else. The remaining body fields are whatever your strategy reads from `params`.
|
|
158
190
|
|
|
159
|
-
|
|
191
|
+
|
|
192
|
+
```http Store API
|
|
160
193
|
POST /api/v3/store/auth/login
|
|
161
194
|
X-Spree-API-Key: pk_your_publishable_key
|
|
162
195
|
Content-Type: application/json
|
|
@@ -167,21 +200,45 @@ Content-Type: application/json
|
|
|
167
200
|
}
|
|
168
201
|
```
|
|
169
202
|
|
|
170
|
-
|
|
203
|
+
```http Admin API
|
|
204
|
+
POST /api/v3/admin/auth/login
|
|
205
|
+
X-Spree-API-Key: sk_your_secret_key
|
|
206
|
+
Content-Type: application/json
|
|
207
|
+
|
|
208
|
+
{
|
|
209
|
+
"provider": "okta",
|
|
210
|
+
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
|
|
211
|
+
}
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
|
|
215
|
+
The response is the standard Spree auth payload. The difference is the refresh token: the **Store API returns it in the body**, while the **Admin API sets it as an `HttpOnly` cookie** scoped to `/api/v3/admin/auth` and omits it from the body.
|
|
216
|
+
|
|
171
217
|
|
|
172
|
-
```json
|
|
218
|
+
```json Store API
|
|
173
219
|
{
|
|
174
220
|
"token": "<Spree HS256 JWT, aud=store_api>",
|
|
175
221
|
"refresh_token": "rt_xxxxxxxxxxxx",
|
|
176
|
-
"user": { "id": "user_...", "email": "...", "
|
|
222
|
+
"user": { "id": "user_...", "email": "...", "...": "..." }
|
|
177
223
|
}
|
|
178
224
|
```
|
|
179
225
|
|
|
180
|
-
|
|
226
|
+
```json Admin API
|
|
227
|
+
{
|
|
228
|
+
"token": "<Spree HS256 JWT, aud=admin_api>",
|
|
229
|
+
"user": { "id": "user_...", "email": "...", "...": "..." }
|
|
230
|
+
}
|
|
231
|
+
```
|
|
181
232
|
|
|
182
|
-
|
|
233
|
+
The refresh token arrives as a `Set-Cookie: spree_admin_refresh_token=…; HttpOnly; Path=/api/v3/admin/auth` response header rather than in the body.
|
|
183
234
|
|
|
184
|
-
|
|
235
|
+
|
|
236
|
+
From here, the client sends `Authorization: Bearer <Spree JWT>` on every subsequent call. When the JWT expires (default: 1 hour), it rotates via the refresh endpoint — the Store API takes the refresh token in the body of `POST /api/v3/store/auth/refresh`; the Admin API drives `POST /api/v3/admin/auth/refresh` entirely from the cookie (see [Admin Auth & Cookie Refresh](../../api-reference/admin-api/authentication.md)).
|
|
237
|
+
|
|
238
|
+
The SDKs wrap the same exchange — `@spree/sdk` for the Store API, `@spree/admin-sdk` for the Admin API:
|
|
239
|
+
|
|
240
|
+
|
|
241
|
+
```ts Store SDK
|
|
185
242
|
import { createClient } from '@spree/sdk'
|
|
186
243
|
|
|
187
244
|
const client = createClient({ baseUrl: 'https://your-store.com', publishableKey: '<pk>' })
|
|
@@ -192,6 +249,19 @@ const auth = await client.auth.login({
|
|
|
192
249
|
})
|
|
193
250
|
```
|
|
194
251
|
|
|
252
|
+
```ts Admin SDK
|
|
253
|
+
import { createAdminClient } from '@spree/admin-sdk'
|
|
254
|
+
|
|
255
|
+
const client = createAdminClient({ baseUrl: 'https://your-store.com' })
|
|
256
|
+
|
|
257
|
+
// Refresh token lands in the HttpOnly cookie; only the access token comes back here.
|
|
258
|
+
const auth = await client.auth.login({
|
|
259
|
+
provider: 'okta',
|
|
260
|
+
token: thirdPartyJwt,
|
|
261
|
+
})
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
|
|
195
265
|
`LoginCredentials` is a discriminated union — pass `{ email, password }` for the built-in strategy, or `{ provider, ...customFields }` for any strategy you registered.
|
|
196
266
|
|
|
197
267
|
## Account Linking
|
|
@@ -225,20 +295,29 @@ end
|
|
|
225
295
|
|
|
226
296
|
## Logout
|
|
227
297
|
|
|
228
|
-
|
|
298
|
+
|
|
299
|
+
```http Store API
|
|
229
300
|
POST /api/v3/store/auth/logout
|
|
230
301
|
Content-Type: application/json
|
|
231
302
|
|
|
232
303
|
{ "refresh_token": "rt_xxxxxxxxxxxx" }
|
|
233
304
|
```
|
|
234
305
|
|
|
306
|
+
```http Admin API
|
|
307
|
+
POST /api/v3/admin/auth/logout
|
|
308
|
+
Content-Type: application/json
|
|
309
|
+
|
|
310
|
+
# No body — the refresh token is read from the HttpOnly cookie and cleared.
|
|
311
|
+
```
|
|
312
|
+
|
|
313
|
+
|
|
235
314
|
This revokes the Spree refresh token. The Spree JWT itself remains valid until it expires naturally (short-lived by design — default 1 hour). Spree does **not** call the IdP's revocation endpoint; if you need single sign-out, do that from the client.
|
|
236
315
|
|
|
237
316
|
## Security Notes
|
|
238
317
|
|
|
239
318
|
A few things worth getting right:
|
|
240
319
|
|
|
241
|
-
- **Don't try to pass the third-party JWT through to protected endpoints.** Spree's `JwtAuthentication` concern verifies `iss: 'spree'` and `
|
|
320
|
+
- **Don't try to pass the third-party JWT through to protected endpoints.** Spree's `JwtAuthentication` concern verifies `iss: 'spree'` and the expected audience (`store_api` or `admin_api`) with HS256 against the Spree secret — a foreign RS256 token will never validate, and you don't want it to. The exchange-at-login model is the right one.
|
|
242
321
|
- **JWKS caching and rotation.** Cache the JWKS (the example uses a 1-hour TTL) but make sure your loader honors the `invalidate: true` option so that an unrecognized `kid` triggers a refetch. Otherwise key rotation at the IdP locks users out for up to the TTL.
|
|
243
322
|
- **Validate `iss` and `aud` claims.** Always. The example passes `verify_iss: true, verify_aud: true` to `JWT.decode` — don't drop those.
|
|
244
323
|
- **Algorithm pinning.** Hard-code `algorithms: ['RS256']` (or whatever your IdP uses). Never let the token's own `alg` header decide — the classic `alg: none` and HS-as-RS confusion attacks both exploit lax algorithm selection.
|
|
@@ -297,5 +376,6 @@ end
|
|
|
297
376
|
- `Spree::Authentication::Strategies::BaseStrategy` — `spree/core/app/models/spree/authentication/strategies/base_strategy.rb`
|
|
298
377
|
- `Spree::UserIdentity` — `spree/core/app/models/spree/user_identity.rb`
|
|
299
378
|
- `Spree::Api::V3::Store::AuthController` — `spree/api/app/controllers/spree/api/v3/store/auth_controller.rb`
|
|
379
|
+
- `Spree::Api::V3::Admin::AuthController` — `spree/api/app/controllers/spree/api/v3/admin/auth_controller.rb`
|
|
300
380
|
- `Spree::Api::V3::JwtAuthentication` — `spree/api/app/controllers/concerns/spree/api/v3/jwt_authentication.rb`
|
|
301
|
-
- See also: [Authentication](../customization/authentication.md) for `Spree.user_class` integration.
|
|
381
|
+
- See also: [Staff & Roles](../core-concepts/staff-roles.md) for the admin login flow, [Customers](../core-concepts/customers.md) for storefront auth, and [Authentication](../customization/authentication.md) for `Spree.user_class` integration.
|
|
@@ -4,7 +4,7 @@ sidebarTitle: Quickstart
|
|
|
4
4
|
description: Enable multiple storefronts on a single Spree app with the spree_multi_store gem, including per-store products, payment methods, taxonomies, and promotions.
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
-
To enable multiple stores, you will need to add the
|
|
7
|
+
To enable multiple stores, you will need to add the [spree_multi_store](quickstart.md) gem to your project via:
|
|
8
8
|
|
|
9
9
|
|
|
10
10
|
```bash Spree CLI (Docker)
|
|
@@ -78,7 +78,7 @@ try {
|
|
|
78
78
|
|
|
79
79
|
### Identity providers
|
|
80
80
|
|
|
81
|
-
`auth.login()` also accepts third-party identity-provider payloads when the server has a matching strategy registered
|
|
81
|
+
`auth.login()` also accepts third-party identity-provider payloads when the server has a [matching strategy registered](../../how-to/custom-api-authentication.md):
|
|
82
82
|
|
|
83
83
|
```typescript
|
|
84
84
|
const { token } = await client.auth.login({ provider: 'auth0', token: idpJwt })
|
|
@@ -6,6 +6,8 @@ description: "Reference for every @spree/admin-sdk resource — products, orders
|
|
|
6
6
|
|
|
7
7
|
Every Admin API resource is exposed as a property on the client (`client.orders`, `client.products`, …). Collection resources follow a consistent CRUD shape — `list`, `get`, `create`, `update`, `delete` — plus resource-specific actions. Nested resources take the **parent ID as the first argument**:
|
|
8
8
|
|
|
9
|
+
For the underlying HTTP surface — every endpoint with the API key scope it requires — see the [Admin API endpoint index](../../../api-reference/admin-api/endpoints.md).
|
|
10
|
+
|
|
9
11
|
```typescript
|
|
10
12
|
// Top-level
|
|
11
13
|
const order = await client.orders.get('order_xxx')
|
|
@@ -254,7 +254,7 @@ And run `bundle install`
|
|
|
254
254
|
|
|
255
255
|
### (Optional) Install Spree Multi Store
|
|
256
256
|
|
|
257
|
-
[Multi-store](../multi-store/quickstart.md) features like multiple store management & custom domains were moved to a separate gem
|
|
257
|
+
[Multi-store](../multi-store/quickstart.md) features like multiple store management & custom domains were moved to a separate gem [spree_multi_store](../multi-store/quickstart.md).
|
|
258
258
|
|
|
259
259
|
If you rely on these features please run:
|
|
260
260
|
|
|
@@ -122,7 +122,7 @@ This is a no-op on the default Database provider (there is no external index to
|
|
|
122
122
|
|
|
123
123
|
#### Multi-store catalogs
|
|
124
124
|
|
|
125
|
-
If you have products attached to multiple stores via the legacy `spree_products_stores` join, the `populate_publications` task picks **one** "home" store per product and creates publications on every store's default channel. The `spree_products_stores` table is **kept** as legacy compat surface — the upcoming
|
|
125
|
+
If you have products attached to multiple stores via the legacy `spree_products_stores` join, the `populate_publications` task picks **one** "home" store per product and creates publications on every store's default channel. The `spree_products_stores` table is **kept** as legacy compat surface — the upcoming [spree_multi_store](../multi-store/quickstart.md) extension restores the full `Product has_many :stores` association on top of it.
|
|
126
126
|
|
|
127
127
|
For single-store deployments this is invisible; you can move on without touching `spree_products_stores` again.
|
|
128
128
|
|
|
@@ -36,10 +36,3 @@ description: "Browse Spree's third-party integrations for payments, shipping, ta
|
|
|
36
36
|
|
|
37
37
|
|
|
38
38
|
- [Klaviyo](marketing/klaviyo.md) — Klaviyo is a marketing automation platform that allows you to send email campaigns to your customers.
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
## SSO, MFA & Social Login
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
- [Admin Panel SSO & MFA](sso-mfa-social-login/admin-dashboard.md) — Learn how to secure your Spree admin panel with SSO and MFA integration, using Microsoft Entra ID as an example.
|
|
45
|
-
- [Storefront SSO & Social Login](sso-mfa-social-login/storefront.md) — Enable customer-facing SSO and social login on your Spree storefront, using Microsoft Entra External ID as an example.
|
package/package.json
CHANGED
|
@@ -1,57 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: "SSO and MFA for the Admin Panel"
|
|
3
|
-
sidebarTitle: "Admin SSO & MFA"
|
|
4
|
-
description: "Learn how to secure your Spree admin panel with SSO and MFA integration, using Microsoft Entra ID as an example."
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
Enterprise businesses require **Single Sign-On (SSO)** and **Multi-Factor Authentication (MFA)** to secure sensitive operations, maintain compliance, and simplify IT administration. For Spree Commerce, the **admin panel** is the heart of your business operations, which means securing access here is critical.
|
|
8
|
-
|
|
9
|
-
## SSO providers
|
|
10
|
-
|
|
11
|
-
There are many popular SSO providers, such as **Microsoft Entra ID**, **Okta**, **Ping Identity**, and **OneLogin**. Each provider may also offer multiple services under its ecosystem.
|
|
12
|
-
|
|
13
|
-
For example, Microsoft’s SSO ecosystem includes:
|
|
14
|
-
|
|
15
|
-
- **Entra ID (previously Azure Active Directory)** → secures your **Spree Commerce admin panel** for workforce users.
|
|
16
|
-
- **Entra External ID (previously Active Directory B2C)** → secures your **Spree storefront** for customer-facing apps, with support for social logins like Google and Facebook.
|
|
17
|
-
|
|
18
|
-
> **NOTE:** For the purposes of this article, we are using **Microsoft** as the example provider.
|
|
19
|
-
|
|
20
|
-
## Why integrate SSO with MFA for the Admin Panel
|
|
21
|
-
|
|
22
|
-
- **Used by staff, merchants, and operators**
|
|
23
|
-
- **Integration with Entra ID** ensures employees can log in using their corporate credentials
|
|
24
|
-
- Benefits include:
|
|
25
|
-
- Higher security
|
|
26
|
-
- Regulatory compliance (SOC2, HIPAA, GDPR)
|
|
27
|
-
- Simplified IT administration
|
|
28
|
-
- Better user experience with SSO
|
|
29
|
-
- With Microsoft solutions, you can also enable **Multi-Factor Authentication (MFA)** or **passwordless options** (Windows Hello, FIDO2 keys) to further strengthen access security
|
|
30
|
-
|
|
31
|
-
## Get Started with SSO and MFA
|
|
32
|
-
|
|
33
|
-
Each SSO integration needs to be scoped individually. The integration plan depends on multiple factors, such as:
|
|
34
|
-
|
|
35
|
-
- **Required SSO provider**
|
|
36
|
-
- Decide whether you’ll use Microsoft Entra ID, Okta, Ping Identity, OneLogin, or another vendor. Each provider offers different features, protocols, and integration options.
|
|
37
|
-
- **SSO provider settings**
|
|
38
|
-
- Each provider has unique configuration details, such as OAuth endpoints, certificates, tenant IDs, and federation settings. You’ll need to gather these to complete integration.
|
|
39
|
-
- **Existing or planned Spree customizations**
|
|
40
|
-
- Custom authentication flows, extended user models, or unique admin permissions may affect how SSO is integrated. These should be reviewed before implementation.
|
|
41
|
-
- **Spree version**
|
|
42
|
-
- Compatibility matters. Integration strategies can differ depending on whether you’re on the latest Spree release.
|
|
43
|
-
- **Use case: single tenant vs. multi-tenant**
|
|
44
|
-
- Single-tenant stores usually need straightforward workforce SSO. Multi-tenant or SaaS-style deployments may require isolated tenant directories and more complex provisioning.
|
|
45
|
-
- **Identity governance requirements** (role-based access, just-in-time provisioning)
|
|
46
|
-
- **User lifecycle management** (provisioning/de-provisioning)
|
|
47
|
-
- **Security posture** (MFA enforcement, conditional access, passwordless policies)
|
|
48
|
-
- **Compliance certifications required** (ISO, SOC2, HIPAA, PCI DSS)
|
|
49
|
-
- **Traffic scale and performance** (concurrent users, global access, load balancing)
|
|
50
|
-
- **Disaster recovery and redundancy** (failover strategies)
|
|
51
|
-
- **Integration with third-party services** (analytics, CDPs, data warehouses)
|
|
52
|
-
|
|
53
|
-
> **INFO:** Let's get in touch so we can scope your requirements and deliver this important integration for your project.
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
- [Book a Call](https://getvendo.com/book-a-demo/) — Schedule a call to explore the options and get your questions answered
|
|
57
|
-
- [Ask a Question](https://spreecommerce.org/get-started/) — Send us a message and share your thoughts
|
|
@@ -1,56 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: "SSO and Social Login for the Storefront"
|
|
3
|
-
sidebarTitle: "Storefront SSO & Social Login"
|
|
4
|
-
description: "Enable customer-facing SSO and social login on your Spree storefront, using Microsoft Entra External ID as an example."
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
Enterprise businesses benefit from offering **customer-facing SSO and social login** because it streamlines the shopping experience and improves conversions. Customers prefer using accounts they already trust instead of creating new ones.
|
|
8
|
-
|
|
9
|
-
## SSO providers
|
|
10
|
-
|
|
11
|
-
There are many popular SSO providers, such as **Microsoft Entra External ID**, **Auth0**, **Okta**, and **Ping Identity**. Each provider may offer several services with different target use cases.
|
|
12
|
-
|
|
13
|
-
For example, Microsoft’s SSO ecosystem includes:
|
|
14
|
-
|
|
15
|
-
- **Entra ID (previously Azure Active Directory)** → secures your **Spree Commerce admin panel** for workforce users.
|
|
16
|
-
- **Entra External ID (previously Active Directory B2C)** → secures your **Spree storefront** for customer-facing apps, with support for social logins like Google and Facebook.
|
|
17
|
-
|
|
18
|
-
> **NOTE:** For the purposes of this article, we are using **Microsoft** as the example provider.
|
|
19
|
-
|
|
20
|
-
## Why integrate SSO and Social Login for the Storefront
|
|
21
|
-
|
|
22
|
-
- **Used by shoppers**
|
|
23
|
-
- Integration with **Entra External ID (B2C)** or other customer identity providers enables frictionless sign-ups and sign-ins
|
|
24
|
-
- Benefits include:
|
|
25
|
-
- Reduced cart abandonment
|
|
26
|
-
- Faster checkout
|
|
27
|
-
- Higher conversion rates
|
|
28
|
-
- Supports **social login options**: Google, Facebook, Amazon, Apple ID, Microsoft
|
|
29
|
-
|
|
30
|
-
## Get Started with SSO and Social Login
|
|
31
|
-
|
|
32
|
-
Each storefront integration must be scoped individually. Consider the following:
|
|
33
|
-
|
|
34
|
-
- **Required SSO provider**
|
|
35
|
-
- Choose from Microsoft Entra External ID, Auth0, Okta, Ping Identity, or others. Your decision depends on features, ecosystem compatibility, and scalability needs.
|
|
36
|
-
- **SSO provider settings, including identity providers**
|
|
37
|
-
- Each SSO platform has unique configuration settings (OAuth endpoints, certificates, client IDs). If you want to enable social logins, you’ll also need to configure providers like Google, Facebook, or Apple.
|
|
38
|
-
- **Scope: social login only vs. SSO + social login**
|
|
39
|
-
- Decide whether you only want to add social login on top of Spree’s existing authentication or fully replace it with a unified SSO + social login solution.
|
|
40
|
-
- **Existing or planned Spree customizations**
|
|
41
|
-
- Customized signup flows, checkout flows, or customer segmentation logic may impact integration design. These need to be factored in during scoping.
|
|
42
|
-
- **Spree version**
|
|
43
|
-
- Ensure compatibility with your Spree version. Older projects may need adjustments to take advantage of newer identity management features.
|
|
44
|
-
- **Identity governance requirements** (segmentation, customer role-based access)
|
|
45
|
-
- **User lifecycle management** (account creation, deactivation, syncing)
|
|
46
|
-
- **Security posture** (MFA for customers, adaptive login, fraud detection)
|
|
47
|
-
- **Compliance certifications required** (GDPR, CCPA, PCI DSS)
|
|
48
|
-
- **Traffic scale and performance** (millions of customer accounts, peak season load)
|
|
49
|
-
- **Disaster recovery and redundancy** (failover, global availability zones)
|
|
50
|
-
- **Integration with third-party services** (marketing automation, CDPs, analytics, loyalty programs)
|
|
51
|
-
|
|
52
|
-
> **INFO:** Let's get in touch so we can scope your requirements and deliver this important integration for your project.
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
- [Book a Call](https://getvendo.com/book-a-demo/) — Schedule a call to explore the options and get your questions answered
|
|
56
|
-
- [Ask a Question](https://spreecommerce.org/get-started/) — Send us a message and share your thoughts
|