Commercetools integration

Naren · September 22, 2020, 9:13am

Hi,

I am working on creating Commercetools integration and would love to get some help on it please. Commercetools supports OAuth 2.0 Bearer tokens issued by another service: https://docs.commercetools.com/http-api-authorization#requesting-an-access-token-using-an-external-oauth-server-beta.
So Commercetools needs external introspection endpoint to verify the Auth0 tokens. Do you support this flow? What would you recommend for this if not?

Thank you.

jmangelo · September 22, 2020, 11:13am

I’m afraid at this time the Auth0 service does not support token introspection endpoint. Currently, the access tokens we issue use the JWT format and could be validated by the resource server using the public key associated to the specific tenant domain.

However, it seems Commercetools does not support such option so a direct integration does not seem possible at this time.

sureshkrishnan-mr · September 22, 2020, 2:04pm

Hi @jmangelo

Thanks for your quick response - I have a quick follow up question please.I understand direct integration does not seem possible at this time.

Since Auth0 service does not support token introspection endpoint, can I implement our own custom endpoint?But at the same time commercetools expects RFC 7662-compliant introspection endpoint.

is it possible to implement our own RFC 7662-compliant introspection endpoint?

jmangelo · September 23, 2020, 2:30pm

Technically speaking, I think you could indeed implement your own endpoint that accepts a JWT access token, validates it accordingly and returns a response in accordance to the token introspection requirements.

Having said that we don’t generally recommend such proxies because you will now be fully responsible by ensuring that the extension you’re adding (an introspection endpoint in this case) does not introduce possible security vulnerabilities.

sam.g · September 13, 2021, 7:14am

Hi there @jmangelo,

Is there any particular reason why Auth0 doesn’t provide a token introspection endpoint? Obviously it would be pretty easy for you guys to build this, and you are in an opportune position, having all these token details readily on hand at your endpoints. In fact, some Auth0 API endpoints already return similar information, they just don’t do it in any standards-compliant way, at least with regard to RFC 7662.

We are also trying to integrate with Commercetools. We were hoping to use Auth0, but this a blocker for us. It would help to know if you guys see this as an issue (seeing as there are at least 5-6 forum posts I could find from a quick cursory search), whether losing customers over it would matter, and if it is a priority to help customers with their OAuth needs, when this might see production.

Is it on the roadmap at all?

dglatstein · July 22, 2022, 4:18pm

hello,

am coming across the same problem myself and am wondering if you have any insight into how you resolved your issue?

Also, has auth-0 planned out any work to add an introspect endpoint?

Topic		Replies	Views
Add introspect endpoint to support commercetools integration Feedback	2	1786	June 25, 2024
Introspection endpoint for Opaque tokens or more flexible rules to get clear JWT access token Feedback auth0 , access-token , opaque-tokens	7	6272	September 22, 2022
RFC 7662 support Help	4	3262	October 7, 2021
Opaque token validation with introspection endpoint Help token-validation , opaque-tokens , oauth2	6	8896	March 24, 2020
Missing Token introspection endpoint in openid configuration Help management-api , tenants	4	3246	May 17, 2023

Commercetools integration

Related Topics