Skip to main content

Share access token between Hybris and Next.js

Overview

It is needed to find a way to share access tokens from Hybris to Next.js application in order to be able to make authenticated requests from Next.js app to Hybris commercewebservices endpoints.

Proposals

Option 1: Authenticate user using Auth0 access token

Discarded because it is not possible to add custom claims to Auth0 opaque access token.

  1. Hybris will write a new cookie to store encrypted Auth0 access token under .rapha.cc domain once the customer has successfully logged in. That cookie should be accessible by Next.js app.
  2. Next.js app will decrypt cookie value on server side and use the decrypted access token to call Hybris commercewebservices endpoints.
  3. Hybris will receive Auth0 access token on request headers and authenticate the user based on it.

Access token can be encrypted and decrypted in the same way we do to store Hybris tokens in user metadata: spike004-node-java-metadata-encryption. It will be probably needed to store also the IV used to encrypt the access token on another cookie.

Advantages

  • Fully rely on Auth0 authentication

Disadvantages

  • Need modifications on Hybris commercewebservices filters
  • Requires to store user access token on a cookie
  • Auth0 access token generated by universal login is an opaque one, that means that it can’t be fully decoded by JWT and doesn’t support to add on it custom claims (This is needed to add some customer identifier like email or customer_uid in order to make Hybris be able to identify which customer is accessing). I think we faced same issue when calling Mobile Backend from Mobile app, this was solved on Mobile App adding the audience on login request, unfortunately it is not possible to set audience on universal login for Hybris. This is a blocking issue as it makes not possible to use Auth0 access token to authenticate & authorize user on Hybris endpoints.

Notes

  • Auth0 access token is an authorization token, not an authentication one. Anyway I need to check if we can identify the user with it as we do in the mobile backend.

Option 2: Authenticate user using Hybris OAuth token

  1. Hybris will write a new cookie to store encrypted Hybris OAuth token under .rapha.cc domain once the customer has successfully logged in. That cookie should be accessible by Next.js app.
  2. Next.js app will decrypt cookie value on server side and use the decrypted token to call Hybris commercewebservices endpoints.
  3. Hybris will receive Hybris OAuth token on request headers and authenticate the user based on it.

Hybris OAuth token can be decrypted in the same way we do to manage it in Auth0 metadata: spike004-node-java-metadata-encryption. It will be probably needed to store also the IV used to encrypt Hybris OAuth token on another cookie.

Advantages

  • Doesn't require any change on Hybris commercewebservices extension.

Disadvantages

  • It is not too close to our new approach with Auth0
  • Requires to store Hybris OAuth token on a cookie

Notes

  • Does Hybris OAuth token need to be encrypted with a new key to be stored in the cookie? or can be written in the cookie with existing encryption used for Auth0?

Resources