Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to connect to the Paypal API through Javascript using OAuth?

I want to make a small app that gets some account information from Paypal and shows that in a HTML page. I solely use HTML/CSS and Javascript, I dislike to run the authorization flow on the server for security implications. I don't want to have the token on the server.

I have a working setup now using the OAuth code grant flow provided by Paypal (more here), but as described above, I want to cut the server out of the picture.

There are some methods described in the page I just referenced, but none seem to implicate there is an implicit grant possible.

Is it possible to use Paypal with OAuth implicit grant or something similar?

(The current answers are taking the code grant flow, which was specifically not what I asked for. I know that one exists, but it is bad to use it in this case, so please only answer if you know a method without the need to provide the OAuth secret token to the client.)

like image 756
Jham Avatar asked Apr 25 '17 14:04

Jham


People also ask

Does PayPal use OAuth?

PayPal REST APIs use OAuth 2.0 access tokens to authenticate requests. Your access token authorizes you to use the PayPal REST API server. To call a REST API in your integration, you must exchange your client ID and secret for an access token.

How do I get my PayPal API access token?

Enter the https://api-m.sandbox.paypal.com/v1/oauth2/token request URL. On the Authorization tab, select the Basic Auth type. Type your client ID in the Username box, and type your secret in the Password box. On the Body tab, select x-www-form-urlencoded .


1 Answers

If anyone does not understand what is/how works Implicit grant

Of course this is posible with plain Javascript but is not recommendable. Paypal has an endpoint to provide auth tokens:

https://developer.paypal.com/docs/integration/direct/make-your-first-call/#get-an-access-token

Also you will need to obtain user's consent.. When performing the request you should provide redirect_uri param with your webapp url. Usually developers tend to store returned values on the server script that receives that response from paypal. But it is not necessary coz you are able to read javascript global var location which contains all params.

Here is an overview of how the OAuth 2.0 auth flow works:

How PayPal uses OAuth 2.0

EDIT:

In order to achieve this you have to do the following steps:

VARIABLES:

  • APP_CLIENT_ID -> your app's client_id
  • APP_SECRET -> your app's secret code
  • APP_RETURN_URL -> default endpoint of your app MUST BE equals to redirect_uri
  • OPEN_ID -> returned code that allows to create a token for specific customer, also to retrieve info from the user

Asuming that you've created an APP in developer.paypal site to obtain "client_id" and "secret" in order to build an url to redirect the user to paypal login form.

  1. Redirect your customer to:

https://www.[sandbox.]paypal.com/signin/authorize?client_id=APP_CLIENT_ID&response_type=token&scope=openid&redirect_uri=APP_RETURN_URL

  1. Customer will log in its account and produce a openid that it will be sent back to your app through http: 302 redirect to redirect_uri which should be your app.

APP_RETURN_URL?code=OPEN_ID&scope=openid

  1. back in your app you can use that code to perform a request to create a token.. and is up to you:

You're able to retrieve profile data from the user such as address, phone..

request: curl -v https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -H "Authorization: Bearer OPEN_ID" -u "APP_CLIENT_ID:APP_SECRET" -d "grant_type=client_credentials"

response: {"scope":"https://uri.paypal.com/services/identity/proxyclient https://uri.paypal.com/services/subscriptions https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card https://uri.paypal.com/services/applications/webhooks openid https://uri.paypal.com/payments/payouts https://api.paypal.com/v1/vault/credit-card/.* https://uri.paypal.com/services/identity/grantdelegation","nonce":"2017-05-05T14:33:28Z488Zx8aUM1aSVo_wpq8IOecfccJMHptR1PVO2OpWcbA","access_token":"A21AAHZCMP5vBuLMzz2m78DJGZhhpmu854amEVEO5WOavfk1GlNl_gmjSi01_69tJLRi5N_6pT-3GpRqZ81_pD1qKIAGANHMQ","token_type":"Bearer","app_id":"APP-80W284485P519543T","expires_in":32400}

  1. Then you're able to follow this: https://developer.paypal.com/docs/integration/direct/make-your-first-call/#make-an-api-call
like image 84
k1r0s Avatar answered Oct 12 '22 11:10

k1r0s