Good day to all. I'm currently integrating PayPal payment gateway (BackEnd) in one of my projects. This is my first time working in a payment gateway. I want to integrate 3D Secure authentication using Orders API of paypal. Can anyone enlighten me on the flow of using the API for integrating Paypal using 3D Secure authentication?
For example:
I have tested using POSTMAN the normal flow without the 3D Secure authentication. And the flow is like below.
I get the amount and currency from the Front-End.
I create the Access token using clientID and secret which I receive from the company DB.
Then I create an order using https://api.sandbox.paypal.com/v2/checkout/orders API.
I get checkOut link from the response like https://www.paypal.com/checkoutnow?token=5O190127TN364715T
I redirect the user to this link which redirects the user to the Paypal page to make the payment. After completing the payment I redirect the user to the success/failure URL which also consists token and payer ID.
Then I use https://api-m.paypal.com/v2/checkout/orders/<token/orderID>/capture to complete the payment.
Now I want to add the 3D Secure authentication to it. From the documentation of integrating 3D Secure, I found that I need to add the payment source inside it and add SCA_ALWAYS as the verification attribute in the Card object. But how can I get the payment source to provide in the body as a request? (FYI I'm not supposed to use any libraries from PayPal as a company policy)
When redirecting to a PayPal checkout page such as https://www.paypal.com/checkoutnow?token=5O190127TN364715T in your example (or for a better UX, never redirecting away and instead using an in-context popup that keeps your site loaded), there is no need to implement 3D Secure. PayPal will present any 3D secure flow if needed, which will depend on the buyer account and its country and the credit card used, and might only happen the first time the card is used.
Implementing 3D secure only applies to direct card integrations such as Advanced Credit and Debit Cards (with or without hosted fields), or the Braintree Gateway.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I'm trying to accept payments for my application using PayPal. I have it set up where I can pay the express-checkout; But once I pay the amount I get redirected so I can authorize the payment, but i'm not using a web server, How I can disable url redirects and just capture the payment as soon as they pay?
RedirectUrls redirectUrls = new RedirectUrls();
redirectUrls.setCancelUrl("example.com/");
redirectUrls.setReturnUrl("example.com/");
payment.setRedirectUrls(redirectUrls);
I need to disable these, so instead of redirecting it thats on the paypal page
Actual Results are example.com/paymentId=PAY-SIMP&token=EC-SIMP&PayerID=SIMP
When my expected results should not redirect to example.com, but stay on paypals website.
If you are not using a server, then wherever you are generating the payment is where you need to handle the return after the customer authorizes the transaction at PayPal, and execute the transaction.
Based on the other comments, my understanding is you have no mobile app, just a Java client-side desktop app, and no corresponding server (or at least no web server, as you say)
PayPal is an ecommerce payment service that provides no SDKs that are intended or useful from such a Java desktop application. So, you should get rid of whatever you’ve written so far.
Without any web server nor android/mobile app, the question really becomes: “I have a desktop application. What it the best way to accept PayPal payments with no web presence?”
And there are two reasonable alternatives:
PayPal Payments Standard, opening an in-app browser or the system’s
default browser, with a web link such as:
https://www.paypal.com/webscr?cmd=_xclick&business=your_paypal_account#somedomain.com&item_name=some%20item%20or%20service&amount=100¤cy_code=USD
A client-side integration of Smart Payment Buttons, using a local
HTML file loaded in a web browser -- using code similar to the
following skeleton demo:
https://developer.paypal.com/demo/checkout/#/pattern/client
A potential third alternative would be to host a micro-webserver using some port on localhost, so as to handle the return of a full SDK.
Looking at the way " PayPal uses OAuth 2" (https://developer.paypal.com/webapps/developer/docs/integration/direct/paypal-oauth2/), I don't see how using basic user name and password server integration can ever give me the ability to collect on behalf of over PayPal users.
Basically I want to be able to have a user with a PayPal account go through an access flow (ex. OAuth) which then gives me the ability to post payments to their accounts from customers.
This is what Stripe Connect does in a very easy straightforward way, does PayPal offer this in their REST API or in another developer API? Thanks!
I think Login with PayPal or Pay / Preapproval (or a combination of both) might be what you're after.
I managed to implement the auth function described by google using a clientid.
So when visiting the html page, one gets asked to authenticate with a google account.
Question: As it is now, everyone can use the site, as long as he/she has a Google account to authenticate with. How do i restrict the usage to a certain group of users? Do i need to manage a list of unique user ids provided by the User object? Or is there already something prebuild, that i can make use of?
I think the safest would be to keep a list of Ids. What are the basis that you expect google or anyone else to know what kind of users you want to allow?
Even if its only geographic there are times when people might be using proxies or using yor site from a remote location.
The site you linked to also says so much :
Specifying Authorized Clients in the API Backend
You must specify which clients are allowed to access the API backend
by means of a whitelist of client IDs. A client ID is generated by the
Google API console from a client secret, such as the SHA1 fingerprint
of a key used to secure an Android app, or from the Bundle ID/Apple
Store ID pair for an iOS app, as described in Creating OAuth 2.0
Client IDs. At runtime, a client app is granted the authorization
token it needs to send requests to the API backend if its client
secret matches one contained in a client ID within the API backend's
client ID whitelist.
Also its only common authentication (who is it), authorization (what they can do on your site) comes from you.
I'm trying to add a payment option for an application to allow users to donate/pay for certain features. To do this, I want to have the application periodically check PayPal for recent payments, preferably using a PayPal API.
I've looked at the PayPal IPN, and that seems to require that you own a web-server which PayPal can send an HTTP request to. However, I'm trying to avoid linking the application with a web-server. The other PayPal APIs I have looked at (I'm only looking at official APIs), from what I can tell, don't serve the purpose I seek.
The user experience I'm seeking is that the user will give the application their PayPal email address, donate/pay on the Paypal website to my account (or whoever's account). My application will then check PayPal for the past X donations, and reward the user accordingly if their email address is found on there and that payment has not yet been rewarded. The reason I want to do this is for security. I'll probably be publishing my work as open source, and I don't want someone modifying it and keeping the user's PayPal credentials.
So, a recap, which (if any) PayPal API would I use to check if there are any recent donations to a given account? Ideally, the user will donate/pay money on the PayPal website to an account, and the application will identify that transaction and reward the user appropriately. I intend to do this in Java, so I can use any Java APIs or web APIs that I can subsequently call with HTTP requests.
If I'm going about this the wrong way, or if it's impossible, let me know.
You can use the TransactionSearch API endpoint referenced here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_TransactionSearch
to find transactions in a certain date range.
If you need more information about one of the donors, you can use the transactionID you get from the search request to query the TransactionDetails end point here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_GetTransactionDetails