I want to make a small app that gets some account information from Paypal and shows that in a HTML page. I solely use HTML/CSS and Javascript, I dislike to run the authorization flow on the server for security implications. I don't want to have the token on the server.
I have a working setup now using the OAuth code grant flow provided by Paypal (more here), but as described above, I want to cut the server out of the picture.
There are some methods described in the page I just referenced, but none seem to implicate there is an implicit grant possible.
Is it possible to use Paypal with OAuth implicit grant or something similar?
(The current answers are taking the code grant flow, which was specifically not what I asked for. I know that one exists, but it is bad to use it in this case, so please only answer if you know a method without the need to provide the OAuth secret token to the client.)
PayPal REST APIs use OAuth 2.0 access tokens to authenticate requests. Your access token authorizes you to use the PayPal REST API server. To call a REST API in your integration, you must exchange your client ID and secret for an access token.
Enter the https://api-m.sandbox.paypal.com/v1/oauth2/token request URL. On the Authorization tab, select the Basic Auth type. Type your client ID in the Username box, and type your secret in the Password box. On the Body tab, select x-www-form-urlencoded .
If anyone does not understand what is/how works Implicit grant
Of course this is posible with plain Javascript but is not recommendable. Paypal has an endpoint to provide auth tokens:
https://developer.paypal.com/docs/integration/direct/make-your-first-call/#get-an-access-token
Also you will need to obtain user's consent.. When performing the request you should provide
redirect_uri
param with your webapp url. Usually developers tend to store returned values on the server script that receives that response from paypal. But it is not necessary coz you are able to read javascript global varlocation
which contains all params.
How PayPal uses OAuth 2.0
EDIT:
In order to achieve this you have to do the following steps:
VARIABLES:
- APP_CLIENT_ID -> your app's client_id
- APP_SECRET -> your app's secret code
- APP_RETURN_URL -> default endpoint of your app MUST BE equals to
redirect_uri
- OPEN_ID -> returned code that allows to create a token for specific customer, also to retrieve info from the user
Asuming that you've created an APP in developer.paypal site to obtain "client_id" and "secret" in order to build an url to redirect the user to paypal login form.
https://www.[sandbox.]paypal.com/signin/authorize?client_id=APP_CLIENT_ID&response_type=token&scope=openid&redirect_uri=APP_RETURN_URL
openid
that it will be sent back to your app through http: 302 redirect to redirect_uri
which should be your app. APP_RETURN_URL?code=OPEN_ID&scope=openid
You're able to retrieve profile data from the user such as address, phone..
request: curl -v https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -H "Authorization: Bearer OPEN_ID" -u "APP_CLIENT_ID:APP_SECRET" -d "grant_type=client_credentials"
response: {"scope":"https://uri.paypal.com/services/identity/proxyclient https://uri.paypal.com/services/subscriptions https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card https://uri.paypal.com/services/applications/webhooks openid https://uri.paypal.com/payments/payouts https://api.paypal.com/v1/vault/credit-card/.* https://uri.paypal.com/services/identity/grantdelegation","nonce":"2017-05-05T14:33:28Z488Zx8aUM1aSVo_wpq8IOecfccJMHptR1PVO2OpWcbA","access_token":"A21AAHZCMP5vBuLMzz2m78DJGZhhpmu854amEVEO5WOavfk1GlNl_gmjSi01_69tJLRi5N_6pT-3GpRqZ81_pD1qKIAGANHMQ","token_type":"Bearer","app_id":"APP-80W284485P519543T","expires_in":32400}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With