I develop payout system which is based on PayPal's payouts.
To make a call to PayPal API it is neccessary to get OAuth token as described in
https://developer.paypal.com/docs/integration/direct/make-your-first-call/
I found that repeatedly calls to get OAuth token don't refresh it (the token gets the same, expiration time decreases).
Is there any way to force OAuth token refresh?
Depending on your payment system, the short-lived access token can be used immediately for a payment or an authorization/capture. The refresh token is long-lived (currently 10 years), and must be stored securely.
For any future payment or authorization/capture, since the access token will have expired, use the refresh token to get a new access token for use calling the Payment API. For more info check the Exchange the auth code for refresh and access tokens https://developer.paypal.com/docs/integration/mobile/make-future-payment/
Related
Is it possible to add or link PayPal to an account (get from paypal user access token or something like this ) to allow payments without authorization ( without log in and confirmation like with card if we have card number and cvc ) ?
And second question, I am using paypal sandbox and I cannot refresh the token when trying to execute the query
I get this answer
{
"error": "invalid_refresh_token",
"error_description": "No consent were granted"
}
Its possible they disabled this options on sandbox ?
Regards
Credit card company rules do not permit a cvc to be stored under any circumstances, so you would never "have" this information. It can only be transmitted when a card is first processed and then must be immediately discarded. As for storing card numbers themselves, there are many rules about that (PCI SAQ-D is a place to start, if you need to research it)
To your PayPal question, to be able to bill a PayPal account without the payer signing in (though they will always have to sign in for initial agreement/set up), the receiving PayPal account must have a feature called "reference transactions". The account owner can contact PayPal's general business support (not technical support) to explain the business need and inquire about being approved for enabling this feature. Once enabled, PayPal can guide you on which API to implement -- be it the older billing agreements API or a newer v2 or v3 vault one.
Refresh tokens are used by a Log in with PayPal integration to obtain a new access token when the old one (originally obtained from an authorization_code) is expired. If you are not integrating Log in with PayPal, refresh tokens are not applicable to what you are actually trying to do, and so the request in your screenshot won't be useful to you.
Refresh tokens are not used to obtain a regular REST API access token for authentication, which uses grant_type=client_credentials . If that's what you're actually trying to do, the documentation is here. The public PayPal Postman API collection sample takes care of this step for you, in the collection-level pre-execution script.
Currently my flow is
User clicks PayPal Button
User gets redirected to PayPal approval URL
User gets redirected back to my website with a Token
I make a call to my server with the returned Token to execute the payment.
Now if user tries to refresh the page, token is passed again to my backend and subscription is processed again with same token.
Is there anyway to avoid this? Is the flow correct?
2 questions for you regarding Paypal Hosted Checkout solution and the goal of the "Identity Token" or "Token ID".
1-
I've come accross several online Paypal docs (such as for Payflow integration) that talk about providing the "Identity Token" (or "Token ID", I think they're the same do they?), but I was wondering what's the goal of passing over this token ID, is it for my own security, or Paypal's one, or something else? Does anybody know exactly what's the purpose of that token ID, what Paypal is doing with it, and/or what the vendor shall be doing with it?
Asking this because when doing the form post to redirect the user to the Paypal hosted checkout, we have to first call the paypal gateway server to obtain the "secure token" and this API call is already secured through another method right, I need to pass my account credentials. So why posting only the "secure token" is not enough and we also need to post that "token ID"? Paypal should already have associated the secure token with my account information through the first API call no?
2-
Also, at the end of the flow, once Paypal returns the customer to my vendor website, does Paypal include any of those tokens (token ID or secure token) as part of their request (perhaps by adding url parameters to my given vendor return url)? If so, does Paypal recommands any sort of validation to be made on the vendor side, such as validating that the tokens match the ones that I, the vendor, stored in the user session prior to redirecting the customer through a form post to the Paypal hosted checkout? Basically, how can I ensure that the session was not hijacked between the time I redirect the customer to Paypal hosted checkout and the time Paypal returns the customer back to my site?
Reference: https://developer.paypal.com/docs/classic/payflow/integration-guide/#hosted-checkout-pages
Thanks a lot
As the previous user states, the Token id is used basically to identify an specific transaction process during it's workflow.
About your second question, in case of Express Checkout, the workflow does not ends when PayPal returns the user to your site. This step you are describing is probably when you send the user to PayPal to AUTHORIZE a payment that you will issue later. The last step is the DoExpressCheckoutPayment, in which you just inform paypal to make the transaction, for this you just pass to PayPal the token, so PayPal knows what you are "talking" about.
Is it good practice to validate the token, I would say yes. Somebody might be listening at your connection and injecting some invalid token. In any case, if you send an invalid token you will get an error message from paypal.
the following image illustrates very good the whole process:
As I understand it (and if reading this correctly), the Secure Token is for processing transactions on your own site instead of passing the user and order to paypal for processing. The Secure Token identifies that specific transaction and ensures the continuity of the order is not broken. You require a Token ID in order to obtain a Secure Token.
I'm in the process of integrating PayPal into my mobile application, using PayPal's Mobile SDK v2.0.
Is it possible to have the end-user approve an immediate payment and pre-approve possible future payments together?
Here's the flow I am thinking about:
User logs in.
User wishes to make a payment using PayPal and checks a box for the application to not ask the user to re-enter PayPal credentials for future purchases.
User is taken to the PayPal native view and enters credentials.
User confirms the payment (and pre-approval of future payments) on the same view.
User comes back some time in the future and attempts to pay using PayPal again.
The application does not show the user the PayPal native view any-more.
Sure this is possible. Basically the idea with future payments is to have your app securely store a token and refresh token once a user has given their consent. So if a user has given consent in the past, when they come to the payment screen you would already have the tokens stored and not need them to log in. When they click pay you would simply use the refresh token to get a new token on your back end server and use the new token to pay without any user interaction.
If you don't have previously stored tokens for the user who wants to pay, you would then show them the PayPal view to log in and give consent, get the authorization code and then use that to get the token and refresh token. You then use the token you just got to pay immediately and store the two tokens for later use.
I'm using the express checkout API through the ActiveMerchant gem in a Ruby on Rails app. The whole authorize and capture flow works just fine when is done within 3 hours. But after that my token expires and I lose the transaction. Even if the authorize and capture documentation says that the authorization is valid for 3 days (at least according to https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_admin_authcapture).
So, how can I capture the transaction after the token has expired?
You shouldn't have to be passing your token. You should be following the flow below.
Make your SetExpressCheckout API call and set payment action to authorization (A)
Get token back
Redirect buyer over to PayPal with to token to login and agree to payment
Buyer gets redirected back to your site with token and payer id returned
You can then execute your GetExpressCheckoutDetails API call using the token.(this step is optional)
Then you perform the DoExpressCheckoutPayment API where you pass over the token and set the payment action to authorization (A)
Then then completes the Express Checkout authorization.
Now you would go back a day or two later and perform your DoCapture API where you send over the transaction id that was returned from your DoExpressCheckoutPayment API earlier. You don't send over the token again here. Once you complete the DoCapture, the funds should then show in your account.