PayPal REST API凭据属于另一家企业或方。

huangapple go评论75阅读模式
英文:

PayPal REST API credentials of another business or party

问题

  1. 要访问Paypal的REST API并代表其他商家发出请求,商家是否需要通过OAuth流程进行授权?
  2. 商家是否需要创建一个应用程序来获取他们的client_idclient_secret
  3. 如果没有刷新令牌,我如何刷新令牌?我是否应该保存商家的client_idclient_secret

这里的帖子说OAuth流程已经解决,但我似乎不明白它是如何解决的。

英文:

So I have a platform where my customers who are e-commerce companies can log in and connect to their PayPal account. Once they have connected and authorised I can pull their payout data and transactions and apply some business logic to it.

What I struggle to figure out is how to trigger the OAuth flow that takes the user to the PayPal authorization page and then redirects the user back to my page. From the docs it seems like you should provide client_id and client_secret, but this won't trigger an OAuth flow, it just returns a token, have I misunderstood something? should the user not go through an OAuth flow?

How will my users get their client_id and client_secret? Will THEY have to create an app in the PayPal developer portal to get the client_id and client_secret? This seems very unintuitive.

Furthermore there is an expiration time on the token returned, but no refresh_token that I can use. Is the idea that I should save a customers client_id and client_secret

So to summarize my questions:

  1. To gain access to the Paypal REST APIs and make requests on the behalf of other merchants, should the merchant go through an OAuth flow?
  2. Does the merchant have to create an app to obtain their client_id and client_secret?
  3. How to I refresh the token if there is not fresh token? Do I store the merchants client_id and client_secret?

The post here says that the OAuth flow has been solved but I seem to understand how it has.

答案1

得分: 1

> 我难以理解的是如何触发OAuth流程,将用户带到PayPal授权页面,然后将用户重定向回我的页面。从文档中看,似乎您应该提供client_id和client_secret,但这不会触发OAuth流程,它只会返回一个令牌,我是否误解了什么?

OAuth用于两个不同的目的。您所说的是使用PayPal登录集成,而OAuth还用于使用client-id和secret获取access_token。后者对于所有基本的REST API使用都是必需的,因此您将会执行这个操作。要获取用户许可的PayPal登录集成是可选的(并且需要批准以在实际环境中使用)。


总的来说,有三种方法可以实现您想要的目标:

  • 第一方集成:让他们从登录到他们的仪表板获取client-id和secret,并创建一个新的实时REST应用程序。存储并使用这些信息以获取access_token,如果需要,可以将其缓存并在最多9小时内重复使用。根据需要获取新的access_token。

  • 使用您的第三方凭据和他们的商户ID:与其使用他们的client-id和secret,可以使用您的凭据和他们的商户ID,在JS SDK查询字符串中和API调用中都要使用(必须在两者中都使用并匹配)。他们可以从他们的PayPal商业帐户设置中获取他们的商户ID,或者如果您集成了“使用PayPal登录”(如上所述,需要批准在实际环境中使用),可以使用也可以不使用合作伙伴推荐API来获取许可权限(也需要批准在实际环境中使用)。如果您最终需要使用v2/payments/API执行退款或作废等操作,那么需要传递一个PayPal-Auth-Assertion标头,其值为JWT令牌格式;对于订单创建,只需使用创建订单购买单元中的payee.merchant_id7

  • 没有帐户信息或权限的第三方:将payee.email_address设置为他们的业务帐户电子邮件地址;这在允许的操作方面更有限(例如,您无法退款,也无法执行像intent: 'AUTHORIZE'和随后的capture/void之类的高级操作)。如果他们在PayPal中更改或不确认该帐户的电子邮件地址,则集成也可能会受到破坏。

英文:

> What I struggle to figure out is how to trigger the OAuth flow that takes the user to the PayPal authorization page and then redirects the user back to my page. From the docs it seems like you should provide client_id and client_secret, but this won't trigger an OAuth flow, it just returns a token, have I misunderstood something?

OAuth is used for a couple distinct things. What you are talking about is a Login with PayPal integration, whereas OAuth is also used to obtain an access_token using a client-id and secret. The latter is required for all basic REST API usage so you'll be doing that. The Log in with PayPal integration to get permission granted from a user is optional (and requires approval for use in live)


Overall for what you want to accomplish there are three approaches:

  • First party integration: Have them obtain a client-id and secret from logging into their dashboard and creating a new live REST app. Store and use these to obtain an access_token, which if desired can be cached and reused for up to 9 hours. Obtain a new access_token as needed.

  • With your third party credentials and their merchant-id: Instead of using their client-id and secret, use yours and their merchant-id in both the JS SDK query string and in API calls (must be in both and match). They can obtain their merchant-id from their PayPal Business account settings, or if you integrate 'Login with PayPal' (as mentioned requires approval to use in live), with or without also using the partner referrals API to for them to give permissions (also requires approval to use in live). If you even end up needing to use the v2/payments/API for things like refunds or voids those require passing a PayPal-Auth-Assertion header with a value in JWT token format; for order creation it's just a payee.merchant_id value in the create order purchase_units.

  • Third-party with no account info nor permissions: Set payee.email_address to their business account email address; this is more limited in what it allows (for example you can't refund, or do more advanced things like intent:'AUTHORIZE' and later capture/void). The integration is also subject to breaking if they change or don't confirm that account's email address in PayPal.

huangapple
  • 本文由 发表于 2023年6月30日 00:43:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/76583042.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定