403 Forbidden is prevent OOBO Customer Authentication from get an access token

[LWEBarrineau]

Hello to who it may concern.

2 months ago, I took over an org with B2C CRM Sync integrated, and recently, the Order on Behalf of quit working.
Below is the error that users are receiving. I am at a lost and have tried everything, even changing the Named Credentials, if anyone could help me understand how to fix this error it would be greatly appreciated
()

[avarma4213]

Hi LWEBarrineau,

Have you resolved this issue? We are also facing the same issue. It would be great if you can provide some useful info to resolve this issue?

Thanks,
Ashok

[LWEBarrineau]

Hi @avarma4213

This happened due to an update on Commerce Cloud. Following is the help article that explains the change: Help And Training Community

In our B2C Site, the ‘Record API Url’ was a hyphenated hostname and we had to switch it to the vanity hostname.

Once this was done, the request was successful.

[avarma4213]

Hi LWEBarrineau,

Thank you so much for the reply on this. We changed the URL in b2c Commerce integration properties on our core salesforce applicaton - Record API URL with the changed url.

After this change we are able to see the Launch on Order behalf of button.

Now OOBO flow is working. we are seeing the browser error as below when we click on Oder On behalf of Button.

---

Refused to connect to 'https://******.com/s/xxxx-au/dw/shop/v21_03/sessions' because it violates the following Content Security Policy directive: "connect-src 'self' https://static.lightning.force.com/ https://api.bluetail.salesforce.com/ https://staging.bluetail.salesforce.com/ https://preprod.bluetail.salesforce.com/ https://xxxx.demandware.net/ https://xxxxxx.demandware.net/ blob: *.vf.force.com https://xxxxx.sandbox.file.force.com/ https://xxx.salesforce.com/ https://notification-service.sfproxy.null.ia4.aws.sfdc.cl/ wss://notification-service.sfproxy.null.ia4.aws.sfdc.cl".

Are there any other steps which we need to do like named credetials, or generate jwt tokens or remote site settings?

Thanks,
Ashok

[sandragolden]

@avarma4213 You will need to ensure that CSP Trusted Site is pointing towards your B2C Commerce host with the following set to true

connect-src
img-src

Also, please double check that the B2C domain is correct/updated in Remote Site Settings

As well, you should check that your OCAPI Settings have the salesforce domain listed as an allowed origin as described here.

"client_id": "[-------insert your clientId here---------------]",
"allowed_origins": [
    "https://[].lightning.force.com",
    "https://[].my.salesforce.com"
]