Looking at the way " PayPal uses OAuth 2" (https://developer.paypal.com/webapps/developer/docs/integration/direct/paypal-oauth2/), I don't see how using basic user name and password server integration can ever give me the ability to collect on behalf of over PayPal users.
Basically I want to be able to have a user with a PayPal account go through an access flow (ex. OAuth) which then gives me the ability to post payments to their accounts from customers.
This is what Stripe Connect does in a very easy straightforward way, does PayPal offer this in their REST API or in another developer API? Thanks!
I think Login with PayPal or Pay / Preapproval (or a combination of both) might be what you're after.
Related
Good day to all. I'm currently integrating PayPal payment gateway (BackEnd) in one of my projects. This is my first time working in a payment gateway. I want to integrate 3D Secure authentication using Orders API of paypal. Can anyone enlighten me on the flow of using the API for integrating Paypal using 3D Secure authentication?
For example:
I have tested using POSTMAN the normal flow without the 3D Secure authentication. And the flow is like below.
I get the amount and currency from the Front-End.
I create the Access token using clientID and secret which I receive from the company DB.
Then I create an order using https://api.sandbox.paypal.com/v2/checkout/orders API.
I get checkOut link from the response like https://www.paypal.com/checkoutnow?token=5O190127TN364715T
I redirect the user to this link which redirects the user to the Paypal page to make the payment. After completing the payment I redirect the user to the success/failure URL which also consists token and payer ID.
Then I use https://api-m.paypal.com/v2/checkout/orders/<token/orderID>/capture to complete the payment.
Now I want to add the 3D Secure authentication to it. From the documentation of integrating 3D Secure, I found that I need to add the payment source inside it and add SCA_ALWAYS as the verification attribute in the Card object. But how can I get the payment source to provide in the body as a request? (FYI I'm not supposed to use any libraries from PayPal as a company policy)
When redirecting to a PayPal checkout page such as https://www.paypal.com/checkoutnow?token=5O190127TN364715T in your example (or for a better UX, never redirecting away and instead using an in-context popup that keeps your site loaded), there is no need to implement 3D Secure. PayPal will present any 3D secure flow if needed, which will depend on the buyer account and its country and the credit card used, and might only happen the first time the card is used.
Implementing 3D secure only applies to direct card integrations such as Advanced Credit and Debit Cards (with or without hosted fields), or the Braintree Gateway.
I'm trying to create an application using Java with PayPal.
Scenario: There is a webshop, a buyer and my application. I want to create the application such that the buyer and the webshop firstly give the app permissions to pay and receive money respectively. Then in the future when the buyer buys something from the webshop, my application has all the information needed to execute this action without involvement of the buyer or webshop.
Now there are two things that are not clear (and I can't find it in the PayPal documentation):
Using the Permissions API you must select the GroupIDs to get permissions for the different API sets. I don't know which one to select for the buyer or for the webshop.
Then, using the authorization header, you can perform the API call. In the case of the buyer, I want to perform a PayPal payment (NOT using a credit card). How do I do this? Which API call do I need to call? (something in Adaptive Payments maybe?)
Thanks in advance.
Classic API has a third party authorization system you can use.
When you give permission to a third party, you grant access to specific information that is account-related or transaction-related and may also be authorizing the third party to take certain actions on your behalf. These services allow the third party to make different kinds of payments, refund payments, search for transaction data, and more. You should be very selective about the type of access you grant to specific third parties.
Once you have obtained authorization, you can then run calls for their PayPal account on their behalf. The catch there is that you can only do what they have authorization for. So if, for instance, you want to run cards on their behalf, they would have to subscribe to payments Pro.
I'm finding a lot of problems trying to develop a google app to place in the market, with OpenID and accesing some google apis like G+ from the backserver on GAE
I have applications running using google apis to acces G+ data, with 3 legged oAuth (code flow) without problems and i understand the "magic" behind the scenes, but i'm getting lost with OpenID and google market. Do i need to do the 3legged oAuth after the user pass the OpenID google filter, and send the user to acept the G+ permission API to use that token to access google apis? If this is the case, what happen if the user access the application from his company gmail account, and when prompted to accept the g+ access, he change accounts? Is there any good reading that make things easier with google apps, openID and access google apis from GAE?
Why I can't specify the scope of G+ when sending my application to the market, in the app conf files?
In this scenario, what is the best way of getting the user g+ profile (picture, fullname, nickname? What i'm missing? google documentation is really good, when you find the correct one ,but a lot of links are dead and millions of examples with deprecated gdata apis are flooding the net...
Ok, after further reading and testing i came up with this points:
Google Marketplace just alow you to access this apis without extra "oAuth dances"
If you want to access more APIs than the listed above, you need the oAuth exchange to get specific token/s for the APIs you want to access.
In my case, i want to access G+ API before the openID from market, so after logging the user with openID, i need to redirect him to google api oAuth accept screen (just for the first time)
More things about the market that take me long time to catch:
- Billing API and license API are deprecated, this mean you are responsible for billing your users and keep them tracked to know if a given user has paid the application or when the license has expired
- You need to map /_ah/login_required becouse your application should be setted (when you create it) to only accept federated logins, wich will lead to a redirection to /_ah/login_required from where you need to do the openID stuff.
A lot of links in the documentation are broken and the examples are too old :(
It's actually a little simpler now with the new Google Apps Marketplace experience. If you follow the steps in the docs and make sure you ask for the same scopes in your App Engine code, the user should never be prompted.
I'm trying to add a payment option for an application to allow users to donate/pay for certain features. To do this, I want to have the application periodically check PayPal for recent payments, preferably using a PayPal API.
I've looked at the PayPal IPN, and that seems to require that you own a web-server which PayPal can send an HTTP request to. However, I'm trying to avoid linking the application with a web-server. The other PayPal APIs I have looked at (I'm only looking at official APIs), from what I can tell, don't serve the purpose I seek.
The user experience I'm seeking is that the user will give the application their PayPal email address, donate/pay on the Paypal website to my account (or whoever's account). My application will then check PayPal for the past X donations, and reward the user accordingly if their email address is found on there and that payment has not yet been rewarded. The reason I want to do this is for security. I'll probably be publishing my work as open source, and I don't want someone modifying it and keeping the user's PayPal credentials.
So, a recap, which (if any) PayPal API would I use to check if there are any recent donations to a given account? Ideally, the user will donate/pay money on the PayPal website to an account, and the application will identify that transaction and reward the user appropriately. I intend to do this in Java, so I can use any Java APIs or web APIs that I can subsequently call with HTTP requests.
If I'm going about this the wrong way, or if it's impossible, let me know.
You can use the TransactionSearch API endpoint referenced here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_TransactionSearch
to find transactions in a certain date range.
If you need more information about one of the donors, you can use the transactionID you get from the search request to query the TransactionDetails end point here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_GetTransactionDetails
This is related to OpenId authentication.
I have implemented the google and yahoo openId auth with java in struts2
but it is achieved through page redirection to openId provider auth page and then back to my own success web-page.
But what i wanted was same as facebook auth. were in json object is passed from fb and fb authentication is done in a pop-up. so that redirection can be avoided.
Plz help me out.
I have somewhat implemented which is mentioned in this post part1-part4: http://javadeveloperjournal.blogspot.in/2011/08/integrating-openid-into-my-struts-2-app.html
First, i will not suggest to use OpenID for Facebook and Facebook do not provides its own implementation for the OpenID but rely on certain third party implimentations.
Best way to go with OAuth which is quite similar to what OpenID is with only differences in the level of security and authentication.
While Constructing a URL to the OAuth Dialog, you can specify a parameter namely display indicating if you want a page redirect or pop-up, by default the value of this parameter is set to page
Please go through Facebook documentation for implementing OAuth
oauth using Facebook
That redirection is an mandatory part of the OpenID specification. Anyhow to authenticate users in that manner, whoever the OpenID Provider should support it. But facebook does't as far as I know. Use Oauth, facebook supports it and it is an open standard, so it is always better to go with open standards.
Well as the other answers have indicated, that passing you to the OpenID provider to login is part of the specification. Also in agreement with Umesh above, Facebook provides Facebook Connect, which isn't OpenId, but allows you to authenticate users using this method.
See: Is Facebook an OpenID provider?
What I do want to add however is clarification that you don't just run off and create an OAuth based authentication system because OpenID isn't what you want to use. OAuth provides you with more than just login authentication, there's more power in there - which strangely users are unaware of. OpenId passes along your credentials and OAuth passes along access to your data. So with OpenId the website can authenticate me, with OAuth the website can authenticate me and possibly have access to all my email or my documents in Google Drive. The good thing is that you the user has to explicitly allow this access.
But erring on the side of privacy you'd want to build a compelling case for an application that needs the power of OAuth. Like the picture in the article below, one's the different between asking for a notarized letter to prove your identity, and asking for a valet key to prove your identity.
A valet is OAuth, I need them to take my car and park it in the parking lot, so I give them a valet key. It can't open the glove compartment or the trunk, but they can open the driver's side door and start the ignition - which is all I need them to do, and no more. However I don't give the cashier at the grocery my valet key when I'm paying with a personal check, she just needs to see a photo ID, any gov't issued ID will work. Technically my valet key which will allow her to open my car and read my VIN and possibly authenticate it against a DMV database should also work, but that's probably overkill.
There are good uses for OpenId, OAuth and Federated logins, but as developers we need to understand when and where we should use each of them.
http://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth