Today, we use SFCC for e-commerce and it has also acted as our primary identity provider. We're in the process of migrating users and transitioning to use an external identity provider, Amazon Cognito.
After the migration, our hope was that we would be able to perform authentication using the external idp (Cognito) and use the issued Cognito 'Bearer' tokens to call the shop API.
Is this possible? Or, does the shop API require a JWT issued by SFCC?
I've not done it before, but there's a relatively new way to authenticate customers from a 'trusted system'. You can find more information about that here: https://documentation.b2c.commercecloud.salesforce.com/DOC2/index.jsp?topic=%2Fcom.demandware.dochelp%2FOCAPI%2Fcurrent%2Fusage%2FJWT.html
If your client application manages your customer credentials, it can obtain a JWT for a registered customer using the /customers/auth/trustedsystem resource. Because this API uses an OAuth token to identify the client application, we strongly recommend that you only use it in a system-to-system integration, where the client application keeps its own OAuth token secret.
After you are able to authenticate the customer you could use the Session Bridge functionality to convert that JWT to a session cookie.
Good luck!
