Bajalibros: Delegated OpenID Authentication Integration
Introduction
Bajalibros operates multiple regional stores on our platform. Each store relies on an external Identity Provider (IdP) owned by the Infobae group (which internally uses Arc) to authenticate end users. This document explains how the delegated OpenID Connect flow works and how our platform consumes the IdP response to sign customers into their corresponding store.
Integration Route
GET /{tenantId}/embeddable-login-ui/{aggregatorId?}
- Latam tenantId: 2251799844000014
- Argentina tenantId: 2251799844000000
- Mexico tenantId: 2251799844000001
- ColombiatenantId: 2251799844000010
- Administracion tenantId: 1125899936000002,
The route belongs to the tenant that hosts the Administration store. When the external IdP finishes the login process, it returns users to https://www.bajalibros.com, which then forwards the request to the appropriate regional store based on the visitor's location.
Authentication Workflow
- The guest selects Sign-in on any Bajalibros store.
- The system immediately redirects the browser to the external IdP form.
- After entering credentials, the IdP redirects the user back to
bajalibros.comtogether with theaggregatorIdthat identifies the regional store. - The regional store loads the embeddable login iframe and passes the IdP payload to the integration.
- The integration extracts the user's email and
external_id, then issues a JWT:- If the user does not exist, it creates a new account.
- If the account exists, it links by
emailandexternal_id.
- The iframe sends a
loginSuccessmessage to its host viapostMessage:- Web – the host saves an Auth Token (see Auth Token documentation).
- App – the host stores the JWT directly.
- The user is now signed in.
- When the user selects Sign-out, the session on the regional store closes and the flow can start again whenever needed.
End-to-End Flow Diagram
Best Practices & Considerations
- Always validate that no active session exists before redirecting to the IdP to avoid unexpected state.
- Use HTTPS exclusively to protect the OpenID response parameters in transit.
- Maintain a mapping of
aggregatorIdvalues to regional store domains inplatform.php. - Keep clock skew between the IdP and our servers under 60 seconds to prevent token-expiry errors.
Troubleshooting
| Symptom | Likely Cause | Recommended Fix |
|---|---|---|
| Infinite redirect loop after login | Incorrect aggregatorId mapping | Verify mapping in platform.php |
| User created without region | IP geolocation failed | Ensure fallback region logic is in place |
| Token rejected by frontend | Clock drift between servers | Sync server clocks via NTP |
Conclusion
This integration allows Bajalibros to centralize user authentication while preserving a seamless shopping experience across regional domains. By following the outlined steps, engineering teams can maintain a secure, reliable delegated login flow that maps IdP users to store accounts in our ecosystem.