Error 12600: Authorization Denied with Netbanx payment iframe - netbanx-api

TL;DR : I am getting a "12600: Authorisation Denied (12600)" error and can't find what that means in Netbanx/Paysafe's documentation.
Background:
I am using the Netbanx credit card services.
The request is built server-side to obtain a url, which is then embedded in an iframe on the application for clients to pay.
It works like a charm in test mode; the iframe displays Netbanx' form, the client enters their info, clicks "Pay", and the payment is authorized. So far so good.
Now, I've moved to live mode. Configurations (account numbers, API key and API secret) are all valid and used on other projects. The payment request is still correctly built, I obtain a url from Netbanx and it correctly displays the payment form. I enter valid credit card information, click pay, and then, boom: failure page, with error 12600: Authorization denied. I cannot find any info related to that error code. Has this occured to anyone? What does this code mean? Any details would be appreciated!
Thanks!

I believe the issue here relates to Paysafe test API credentials being used on the production environment. These credentials do not translate from test > production as a separate set would need to be used for security reasons.
If you believe that you are ready to go live, you can login to the BackOffice "https://login.test.netbanx.com/" and click the "Go Live" button to start the process!

Related

PayPal Assisted Account Creation invalid client_id or redirect_uri

I followed this doc to Set up Assisted paypal Accounts.
And create sample page with sandbox client id and merchant id as follows.
When clicked rendered button I get following error page. I checked popup url and found redirect
redirect_uri=https://www.sandbox.paypal.com/conex/ac/add-offer-recipient
But in my app settings I have setup different urls for rediection
In the prerequistics for AAC in that doc, it says "Contact your PayPal account manager to enable identity services."
If you don't have a PayPal account manager who's guiding you with this integration and enabling the necesary service for you, then you can't use this and should not be trying to follow this doc.
To me it worked after setting return URL as follows
https://www.sandbox.paypal.com/conex/ac/add-offer-recipient

Actions on Google - Account Linking process hits Token URL before Authorize URL?

We are trying to support the 'traditional' Account Linking flow as it seems the most general purpose, gives us a chance to surface T&C's, and we thought would be most bedded in.
But testing in the Assistant mobile app for starters, it fails for most users in our Actions app in Dev - After the user sees the Google-driven pop-up in the Assistant app with the "LINK ACCOUNTS" option - They tap that option, and our authorization screen does not appear.
Actions support have had a look at our Account Linking config and can't see any problems.
A couple of test users with newer Android phones DO see our Authorization screen, but the majority do not.
If we test the Authorization URL by pasting into a browser on the same device - It always displays just fine.
What is strange - If we look in our web server logs during the failed cases, the only hits we are seeing are to our 'TOKEN URL', whereas my understanding is a newly linking user should hit our 'Authorization URL' before ever hitting Token.
The successful cases DO hit our Authorization URL first, as expected.
Feel free to pipe up if anyone can answer ANY of the following:
Any ideas what could be causing problems here?
Or ways we might investigate deeper?
Does an app need to be in Alpha testing, or anything like that before Account Linking works?
Is it normal/expected to hit the Token URL for a user that has never successfully linked accounts?
Can anyone confirm what the Token fetch response should be in that case? (Maybe we are not responding in a way that satisfies the other end)
Does anyone have a dummy/HelloWorld Account Linking web end-point we could test against? (Geeze that would be handy for the developer community!)
I don't know exactly what is going on, but there are a couple of hints about what is happening and what avenue to investigate. I'm going to assume you're doing Account Linking with OAuth only. If you are doing a combination of "Google Sign In for Assistant and OAuth", that might change some things. To address some of your questions:
What could cause the Assistant to go to the Token Endpoint instead of the Auth endpoint?
It wouldn't go to the Token Endpoint unless it already had a Token. I could think of a few possible scenarios:
If it was going to Auth, getting a token since it was already authorized, so no window would pop up. (But you indicated it isn't going to that page.)
If the account in question is already authorized to the project via some other means. You can check https://myaccount.google.com/permissions to see if it is already authorized.
If you had tested it with this account previously and it has a token from then. If so, it should be listed at https://myaccount.google.com/permissions. Probably.
If you're not using the account you think you're using on the device in question.
How to investigate this?
Once you double-check some of the more obvious things (using the right account?):
Look at what is being sent to the Token endpoint
Does the token look familiar? Is it the same between calls? Same between different accounts?
Do you log tokens being issued? Can you?
What about the other information sent along with the token such as the client_id and client_secret?
Does it need to be in Alpha?
I'm not sure. Last I checked, it did not. I do think that it no longer works in the simulator, which is annoying, but doesn't require being in Alpha.
It does make it a little more difficult to check, however, since there is no Directory page that can tell you if the account is already linked. You'll need to go to the list of linked apps for the account to remove your app if it is: https://myaccount.google.com/permissions
Is this normal?
I wouldn't think so. It shouldn't hit the Token Endpoint unless it has an auth code or refresh token to exchange. It has to have that code/token from somewhere.
How should you respond?
If you get an auth code or refresh token that is invalid, or any of the other information provided at the token endpoint doesn't match what it should, you must return HTTP error code 400 "Bad Request" and include as the body the JSON
{"error": "invalid_grant"}
This should force it to go through reauth with the user.
Is there a public test server?
Auth0 isn't exactly public, but is free for basic use, and well suited for test purposes.

Unexpected Authorization Request in Workflow C2QB WF3.0

We have a multi-tenanted/multi-domain app and we're looking at publishing on IPP. Because of the multi-domain nature our configured endpoints in the App setup are generic and users are then redirected to their specific account once their identity is established.
The issue is with C2QB WF3.0.
The test steps are:
go here: https://appcenter.intuit.com/Home/MyApps/
on the "Launch My Apps" tab, click the app
Expected Result:
the Sign In screen for the app is displayed
The requirement is:
if not still signed into the app, sign in screen is displayed
if still signed into the app, take user into the app
The issue is that the even if the user is currently logged into our application, it still requests authorization as per this message:
"domain" is requesting some information from your Intuit account
By approving this request "domain" will be able to access your:
Name
Email Address
The workflow that it is actually following is to perform a callback to our connect url. The normal way to determine which account the callback is coming from is via the realmId, but this is not received from Intuit and therefore it needs to be requested. Once a user has completed this authorization, it will not ask again. It should be noted that we're not actually requesting a name or an email address as the screen suggests.
We've been informed by Intuit that it should not request authorization and it is not part of the workflow.
We're wondering if anyone else has encountered this problem and if there is a workaround for it.
We discussed with the Engineering teams and they confirmed what Pete has mentioned above. This is not a bug and please follow the steps as Pete has mentioned.
If you want to replicate the 'access your app with appcenter flow', you have be either logged in QBO online company file in same browser session or navigate to the app via blue dot menu from your application or run your application from localhost(.net) and then go to Appcenter and login there on same tab and then click on your app.
Since your desktop application is running, your code will be hit.
You will then get the second Auth screen only for authorizing your company file. After authorization your realm will be set in a cookie and in the code you can see its value. You can replicate this behavior via firebug and see the qbn.parentid cookie value has the realm after authorization is done.

PayPal OpenId Connect with MVC

Has anyone had luck getting Login With PayPal to work with MVC4? I've tried creating an extension of OAuth2Client, as well as a separate extension of OpenIdClient. Both had the same problem, which was also the problem that occurs directly from a browser.
I copy/paste the endpoint URL (with querystring) into the browser, but it always goes directly to the callback URL without displaying any PayPal-hosted login form. I can verify that the endpoint is correct by removing or altering the redirect_uri (which results in a PayPal error page.)
I am logged out of PayPal through the browser before attempting the tests, and I've tested with Chrome and IE9.
Any ideas? Thank you!
Apparently, PayPal OpenId Connect does not support the "openid" scope. This was verified for my application by using the Login With PayPal button creator and seeing "invalid scope" appended to the redirect's querystring.
The solution (remove "openid" from the scope) presents its own conundrum. According to the spec for OpenId, this scope is REQUIRED. According to the documentation for PayPal, this scope should be sent at a minimum. This looks like a problem that will be fixed, but if fixed, will the attribute be required and therefore break my application? Or will they opt to make the attribute optional.

configuring paypal gateway fields in spree

I am trying to add the paypal gateway to spree, but am a bit confused what the different fields mean: server, login, password, signature. are login/password supposed to be those that i use to login to paypal? what about server and signature?
Found some info here:
http://guides.spreecommerce.com/payment_gateways.html
server can either be "test" or "live". Not sure why they have this here (as well as a tickbox) but thats the rule anyway!
The signature you get from paypal, as an API signature. If your using developer.paypal.com its pretty easy to get one. After logging in just click "API Credentials" on the left.