Stefan Holm Olsen

Managing customer logins in Episerver’s Commerce Manager (with ASP.Net Identity)

If your Episerver Commerce site uses ASP.Net Identity authentication (based on the OWIN standard), you may have noticed that you cannot manage user accounts in Commerce Manager. But it works fine if you use the classic Forms Authentication.

This can be a big issue for users of the Commerce Manager, who might need to change a customer’s email address or password once in a while.

To fix this issue, I have made a fix to the Commerce Manager.

The issues

The problem is that, out-of-the-box, Commerce Manager only works with Forms Authentication. So when the site is instead built with ASP.Net Identity authentication, the Contact screen looks like this.

Screenshot of customer view with missing information for an existing user account.

Notice that the bottom of the screen only shows the user name and that the account is not locked out. There are no further information and no actions to perform. If the contact exists without a related ASP.Net Identity user, then the user name field is even showing the GUID key of the contact. That is simply not enough.

Without an integrated way of unlocking accounts, or changing email addresses or passwords, all of this logic has to be integrated in the web application. Either as:

  • Customer-facing reset flows, which many sites already have, or
  • A custom administration page.

My solution

Luckily in Episerver Commerce, most screens can be extended and amended. So, in order to enable some of the simplest ASP.Net Identity user management in Commerce Manager, I simply ported some of the user controls from the Apps folder.

Now viewing the same contact in Commerce Manager, I see this.

Screenshot of customer view when an account exists.

And if I delete the account, or view a new customer without an account, the screen looks like this.

Screenshot of customer view when no account exists.

Browse the source code here.

This solution only mimics the simple built-in views. But ASP.Net Identity is often used with more advanced flows. So we could even extend the Contact screen further with support for:

  • Sending a reset password email
  • Re-sending email or phone number confirmation email
  • Resetting a user’s security stamp to force a user to login again
  • Removing a user’s Facebook or Google login connections