I am trying to integrate PayPal in my application (MVC4 C#)
Any link/ guidance in integrating it (step by step explanation) will be really helpful.
Issue is
Even though my action link is "https://www.sandbox.paypal.com/cgi-bin/webscr"
it redirects to
"www.sandbox.paypal/home"
If you don't append this ?cmd=_express-checkout&token= with the token then you will be redirected to the home page and not the PayPal Checkout page. The token is gotten from a successful setExpressCheckout request.
The payflow for ExpressCheckout is:
SetExpressCheckout request
Redirect to PayPal for user authorisation
Return to your site
GetExpressCheckoutDetails request
doExpressCheckoutPayment request
Here's a little diagram of the payflow for it:
Related
We have an issue with a asp.net core 3.1 MVC application. The application is using the built in asp.net Identity feature. The application is working well for existing users. If you hit any [Authorized] route, you are redirected to the login page as expected.
However, rather than have a registration process in our app, for new users, we onboard them via Stripe Checkout. Upon successful payment, stripe redirects to a specific route in our application /conversion/success/{sessionid} where sessionid is the Stripe session. This action is marked as [AllowAnonymous].
We then pull the necessary customer details from Stripe, create a user in our repository via UserManager<T>. We then call SignInManager<T>.SignInAsync() to sign in the new user, before redirecting the new user to the [Authorized] home page.
This process works perfectly when running locally on our test machines. Also, when running on our production server (Azure App Service) it also works perfectly when we hit the route manually through the browser.
However, when we actually run the process through Stripe, complete a payment and let Stripe redirect the customer, we get a strange behaviour.
The conversion route is hit, the user record is created, the sign in process completes but upon redirection to home page, the authentication middleware takes over, says it's not authenticated and redirects to the login page.
Just to compound matters further, if you then simply type in the home page route in the browser, the user is in fact logged in exactly as expected and the application works perfectly.
Using Fiddler to intercept the calls and look at headers, etc. we can't see why there would be a different behaviour when coming from Stripe as opposed to typing directly. We've even tried redirecting from a different website to our registration process and that works as expected too.
Any idea why we are seeing this behaviour?
---- Update ---
If, rather than redirect to home page at the end of the onboarding process, we simply show a simple View with an anchor link to home page, the user can then go to home page as expected.
Is it possible that you're rendering the page before authentication has been completed? Since UserManager uses a cookie to establish the user's session, authentication needs to complete before any response headers or body is set so that the Set-Cookie header can be sent in the response.
Based on what you described it sounds like the user is hitting the homepage after the redirect without having the authentication cookie. Where I'd start debugging this is by using your web inspector with "Preserve log" turned on and going through the Stripe Checkout process. Then, inspect the headers sent to the browser when you land on the redirect page & make sure the authentication cookie is set.
Between requests to Stripe and SignInAsync it seems possible that there might be a missing await, so the redirect is happening before the authentication context is updated. Hard to say more without seeing your code!
I want to implement oAuth2 flow in my Slack app, but it's impossible to test properly.
I have added /slack/redirect-url as a redirect URL on my App management page. Then try to install\reinstall the app on the following page:
Unfortunately, it doesn't work, my endpoint isn't called.
However, if I go to the "Distribution" section and try to install the app from there it does call my redirect URL:
So, what's the issue? Why the first approach doesn't call my redirect URL, but the second one does? Am I missing something fundamental?
The "Reinstall App" button will handle the entire exchange of verifying and granting the OAuth token within Slack, so there is no need for the redirect.
The redirect URL is intended for users who are authenticating with your service, and thus you need to store the token.
User clicks the install button
User authorizes through Slack UI
Slack redirects to your desired URL
You grab the code included in the redirect call
You exchange the code for the OAuth token
You store the OAuth token
When you use the "Reinstall App" button in your app management view, steps 3-6 are handled entirely by Slack and the token is displayed to you.
To properly test the redirect URL, you can go through the OAuth flow manually. Given that they're simply GET requests, you can just modify the links and paste directly into your browser.
Step 1: Authorize the app – this will send you to Slack for authorization, and then your redirect
https://slack.com/oauth/authorize?client_id=CLIENT_ID&scope=SCOPES&redirect_uri=REDIRECT_URI
Step 2: Exchange the verification code for OAuth token
https://slack.com/api/oauth.access?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=REDIRECT_URI&code=CODE
I have a web app with spring boot backend providing REST APIs and Angular.js front end as a single-page-application.
I'm new to the spring oauth setup so I'm not sure whether I'm doing it the right way.
I have my spring boot app configured as both the resource server as well as the oauth authentication server. Whenever the front end makes an api request that fails with a 401 response, I instructed the web developer to make a POST call to /oauth/token endpoint to get a user token. The request sort of like this:
POST /oauth/token HTTP/1.1
Host: localhost:8080
Authorization: Basic Z3J1Ym1hcmtldDp0dWFuZ291
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=john.doe%40example.com&password=password
And the front end will get a user token and is able to sent API requests to protected api end points.
Now imagine a use case where anonymous user adds a bunch of stuff to his/her shopping cart and hit the check out button, which makes an API request to the backend that fails with 401. So user is redirected to the form login our frond end person wrote. When user enters his/her username/password, the UI code makes a POST request to /oauth/token and get a user token back.
Now the problem is that the user's shopping cart is lost as user has been redirected away. We are thinking of having a redirect_url and encode the shopping cart items into the redirect url and redirect to that url after user logs in successfully.
Question is, how do I do that. Doesn't look like the POST request to /oauth/token would take a redirect_url param and sends back a 302 response to that url. Is it solely the front end developer's responsibility to store the shopping cart and proceed when login finishes?
The password flow of the oauth2 spec is definitely not suited for this use case and doesn't support redirect uri. Flows that support redirects are the authorization code and implicit.
https://www.rfc-editor.org/rfc/rfc6749
I have an issue on iPad, I am using Paypal sandbox with my Ruby code. Which is a SOAP call to https://api-3t.sandbox.paypal.com/2.0/. When I pay from my iPad, it redirects to my return url but as a Get request. But when I pay from my laptop/window/ubantu machine, it redirects as a POST request. I am unable to understand why is it happening.
Please help me in this.
I have a site (built on LAMP (cakephp) and has ssl certificate installed) which has a secure payment page. After filling up necessary information user proceeds to a payment gateway page. After all the process at the gateway end, gateway redirects to one of my URL, which I have to mention with a payment request.
Now when I keep this url as http redirect happens properly and all the sessions are maintained. But I want to make this page as https, and when the payment gateway redirects to the https version of the URL, my session information dies and I get redirected to my home page.
eg: my payment page
https://www.mysite.com/payment
from here user goes to the payment gateway site, does necessary things and payment gateway redirects it to
http://www.mysite.com/paymentResponse (this url i have to mention in the request)
now i have to make this as HTTPS, but when I do that my session info dies
Plz help me
Thanks,
Dinesh
I don't know why it supposedly works for plain HTTP requests, but the problem may be related to Configure::write('Security.level') being set to medium or high, which activates PHP's session.referer_check, which may be the reason sessions are dying for you when being redirected from external sites.