What a OAuth integration gives you.
Employees and B2B buyers sign in with their corporate identity across web storefronts, trade portals and mobile apps without separate passwords. Account linking is transparent.
When a buyer joins a cost centre or project team in the identity system, their commerce permissions update automatically. Approval limits and visibility rules follow without manual account editing.
When a team member leaves or their role changes, access to the trade portal and customer accounts is revoked within minutes. No orphaned sessions or ghost accounts remain.
Identity provider policies for multi-factor authentication and session timeout apply to commerce login, checkout and trade account access consistently. Compliance requirements are met in one place.
Login events and permission changes are recorded by both identity provider and commerce. Audit trails support compliance reviews and troubleshooting without manual log inspection.
Where a OAuth integration earns its place.
If two or more of these are true, the integration usually pays for itself quickly.
Where off-the-shelf connectors fall short.
Vendor connectors are fine for simple cases. Here's where the real ones need more.
OAuth 2.0 itself carries minimal claims; OpenID Connect adds ID tokens with standard claims like email and subject. Custom attributes like cost centre, buyer role or approval limit must be added as custom claims and mapped in the integration layer.
The identity provider doesn't know about existing commerce customer records. Someone must define the linking rule (by email, by external ID, by manual curation) and handle edge cases where the identity user doesn't yet have a commerce account.
Groups from the identity provider don't automatically become commerce permissions. A mapping table must be maintained and refreshed when corporate structure or role definitions change.
When a user is deleted or suspended in the identity provider, commerce doesn't automatically revoke access to trade accounts or orders in flight. Token revocation and session termination must be triggered explicitly.
Commerce platforms often treat all logins the same way. If you need consumers to authenticate locally and B2B buyers to use corporate SSO, custom logic is required to route login flows correctly.
Account linking and deprovisioning timing separate well-intentioned SSO projects from ones that survive a corporate restructure without orphaning access or locking out the wrong users.
Where this integration sits in your estate.
OAuth holds the commercial record. The iWeb integration layer manages the rules, mappings, monitoring and exceptions. The commerce platform presents the customer-facing experience. The estate map helps agree ownership before anything is built.
Built for your platform, not a specific one. OAuth integrates with any ecommerce core through the same contract.
- User identity and verification
- Multi-factor authentication policy
- Group and role definitions
- Session and token lifetime
- Credential rotation and key management
- Customer account records and linking
- Trade account permissions and overrides
- Login session state on the storefront
- Approval workflows tied to permissions
- Order visibility and purchase authority rules
Systems this integration usually sits next to.
Examples, not a closed list. iWeb is platform-agnostic on both sides: we wire this integration into whatever ecommerce platform and surrounding systems your estate already runs.
- Adobe Commerce
- Magento Open Source
- Shopify Plus
- BigCommerce
- Other storefronts
- Azure AD / Entra ID
- Okta
- Keycloak
- Google Identity
- Customer data platform
- ERP (for customer account master)
- Trade portal or customer self-service
Not sure if this works with your stack?
Tell us what you’re using and what needs to connect. We’ll give you a straight view on what’s possible, what might be awkward, and the safest way to approach it.
The data flows we wire.
Each flow has a direction and an owner. We agree both before a line of code is written.
How iWeb configures the integration around your business.
Same method on every integration. The decisions come before the code.
- 01Map token claims to commerce customer and trade account records
iWeb defines how user ID, email and custom claims from the OpenID Connect token link to commerce customer accounts and corporate buying roles. Fallback logic handles users without a pre-existing account.
- 02Build and maintain the group-to-role mapping table
iWeb designs the governance rules for translating identity provider groups (department, team, location) into commerce permissions (buyer, approver, account manager). The mapping is versioned and auditable.
- 03Handle account linking and customer identity conflicts
iWeb resolves ambiguity when a user exists in both identity provider and commerce but the link is unclear. Rules define whether identity is system of record or whether commerce customer records are canonical.
- 04Build deprovisioning and session revocation workflows
iWeb designs the path from user deletion or suspension in the identity provider through to commerce session termination and trade account lock. Timing and ordering matter for compliance and customer service.
- 05Monitor token refresh, MFA and session health
iWeb sets up observability so token expiry, refresh failures, MFA opt-out and session timeout are visible before they break login. Exception queues alert teams to certificate rotation or credential drift.
Who owns what.
The single most important table in any integration. One system owns each field; everything else reads it.
Built this before
iWeb has integrated OAuth 2.0 and OpenID Connect authentication into ecommerce and trade portal estates multiple times. We understand how token flows, account linking, group mapping and deprovisioning sit alongside ERP customer records, OMS approval workflows and trade account governance.
What we test before launch.
Every one of these is rehearsed before a customer ever sees the integration.
Common risks and where they bite.
We name these on day one. A risk written down is a risk you can plan around.
A user is deleted in the identity provider but their commerce session or trade account remains active. They can still place orders or access customer data until the token naturally expires or commerce is manually cleaned.
Corporate groups are renamed or reorganised but the mapping table in commerce is not updated. Users in the new group structure either lose permissions suddenly or retain access to resources they should not see.
A customer is halfway through checkout when their OpenID Connect ID token expires. Commerce rejects the token, session is terminated and the order is lost. No retry path exists.
A user with the same email exists in both identity provider and commerce customer records but they are not linked. The user signs in and creates a second commerce account, fragmenting order history and permissions.
The identity provider enforces MFA suddenly but commerce doesn't support MFA challenges. Users cannot complete login, and fallback to manual password reset is not defined.
The identity provider rotates its signing key or certificate. Commerce is still validating tokens against the old key and rejects all login attempts. No alert surfaces the mismatch until users report broken login.
Relevant services and sectors.
Common questions about OAuth integrations.
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization standard for delegated access to resources; it does not carry user identity. OpenID Connect adds an identity layer on top of OAuth 2.0, issuing ID tokens that carry user claims (email, subject, groups). For ecommerce and trade portal login, use OpenID Connect so you get user information; OAuth 2.0 alone is suitable for API authorization.
How do we link a customer's identity provider user record to their commerce account?
The integration can link by email address (if it is unique and trusted in both systems), by external user ID (if the identity provider exposes it and commerce stores it), or by manual curation for edge cases. The linking rule is configured once and applied during first login or as a batch operation; after that, the OpenID Connect subject claim identifies the user.
What happens if a user exists in the identity provider but not yet in commerce?
On first login, the integration can either create a new commerce customer record automatically (just-in-time provisioning) or reject the login and ask them to register. Just-in-time provisioning is faster for end users but requires rules about which claims become which customer fields.
How are corporate groups converted into commerce permissions?
A mapping table translates identity provider group names into commerce permission sets (e.g., 'Finance-Team' becomes 'Approver' role, 'HR-Procurement' becomes 'Buyer' role). The mapping is maintained by the integration team and applied during login or group sync. If the group changes in the identity provider, the mapping must be updated to reflect the new permission set.
What happens when a user is deprovisioned in the identity provider?
When a user is deleted or suspended, the identity provider stops issuing tokens for them. Commerce should revoke any existing sessions immediately and prevent future login attempts with stale tokens. Deprovisioning workflows must handle trade account locks, order visibility revocation and customer record archiving to avoid orphaned access.
Can we enforce multi-factor authentication from the identity provider?
Yes. If the identity provider requires MFA, the user completes the challenge during the OpenID Connect flow and receives a token only after successful MFA. Commerce honours the MFA requirement because the token itself is proof that MFA was passed. If commerce adds its own MFA on top, you have defense-in-depth but also higher friction.
What should we do if the identity provider is unreachable during checkout?
If token verification fails because the identity provider keys are unavailable, commerce can either reject the request (hard fail) or allow a short grace period using cached keys (soft fail). Hard fail is more secure but blocks legitimate users; soft fail is more resilient but carries the risk of accepting an expired or revoked token. The choice depends on your security posture and downtime tolerance.
How long should sessions last, and who decides?
The identity provider usually sets the ID token lifetime (e.g., 1 hour) and issues refresh tokens for longer-lived sessions (e.g., 24 hours). Commerce should honour the token expiry and require re-authentication or refresh when needed. If commerce has its own session layer, ensure the lifetime is shorter than or equal to the refresh token lifetime to avoid sessions that outlive the identity provider's authority.
How do we handle the case where a user has multiple email addresses?
If the identity provider recognizes multiple email addresses for the same user but commerce treats each email as a distinct account, you must pick a canonical email or subject ID for linking. If a user links different emails to the same commerce account, use the subject claim (which is unique per user in the identity provider) as the stable identifier.
What happens if we rotate the identity provider's signing certificate?
The identity provider issues new tokens signed with the new key. Commerce must fetch the new public key (via the identity provider's JWKS endpoint) and validate tokens against it. This should happen automatically if commerce is configured to refresh keys periodically, but if it does not, tokens will be rejected until commerce is updated manually.
Can we use different identity providers for consumers and B2B buyers?
Yes. Commerce can be configured with multiple OpenID Connect identity providers and route login requests to the appropriate one based on the path (e.g., /consumer/login uses a local provider, /trade/login uses corporate SSO). The account linking and group mapping logic must be specific to each identity source.
How do we audit who logged in and why permissions changed?
The identity provider logs all authentication requests and token issuance. Commerce logs login events and permission changes tied to the user's subject ID. Audit trails should include timestamp, user, login success/failure, token refresh, group changes and permission updates. Both systems' logs should be available for compliance reviews.
What if a trade account needs approval limits that don't match the user's group?
Group-to-role mapping sets the baseline permission set. Commerce can then apply account-level overrides (e.g., this user can approve up to GBP 50,000 even though their group usually can approve up to GBP 10,000). Overrides should be rare, documented and separate from the group mapping to avoid confusion.
How do we handle the transition from local passwords to SSO?
Customers with existing commerce accounts can be invited to link their identity provider credentials by email verification or admin curation. Dual authentication (local and SSO) can run in parallel during the transition, with decommissioning of local passwords set for a future date. Account linking must happen before the cutover to avoid orphaned records.



