Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.

Authentication - Architecture

Authentication - Architecture

EP Commerce for Adobe Marketing Cloud Authentication is composed of multiple components:
  • CortexAuthenticationHandler - an implementation of a Sling AuthenticationHandler
  • CortexIdentityProvider - an implementation of a Jackrabbit External Identity Provider
  • Helper classes that store user information in the Jackrabbit repository, interface with cortex to create users and grab user information and create cortexContext objects with Oauth tokens and other authentication info.

Authentication Workflow

Sling Authenticator handles authentication requests and calls the registered authentication handlers, including Cortex Authentication Handler to extract the request and drop credentials.

When Cortex Authentication Handler processes and verifies user information, it invokes the login, commit, abort, and logout methods in the registered login modules, including the External Login Module.

The External Login Modules authenticates against the External Identity Providers (CortexIdentityProvider) and syncs the values returned by CortexIdentityProvider into Jackrabbit. Synching creates the user's Cortex profile in JCR and saves information such as the REGISTERED Cortex token that was returned on authenticating the user against Cortex and the token's expiry date under CortexUsers using the Jackrabbit Oak Default Sync Handler.

The JAAS Authentication process sets several cookies in the shopper's browser on successful authentication that identify the logged in state of the shopper and allow access to shopper specific information. This is set by AEM's own Authentication Handlers as well as Elastic Path's Cortex Authentication Handler.

ANONYMOUS users are identified by a Cortex token with role PUBLIC which is saved in a cortex session cookie. No entries are created in the JCR for PUBLIC users.