|
2 | 2 | sidebar_position: 2 |
3 | 3 | --- |
4 | 4 |
|
5 | | -# Authentication |
| 5 | +:::caution |
6 | 6 |
|
7 | | -The PoS V10 API uses access tokens to authenticate calls from integrator clients. In order for an integrator client to use the PoS V10 API, it must first obtain an access token using the Integrator Authentication API. The access tokens used in the PoS V10 solution identifies both an integrator client and the integrator and may optionally identify the merchant on which the client is calling on behalf of. |
| 7 | +Please notice that as part of the merger between MobilePay and Norwegian Vipps, we will consolidate products on one joint platform. |
| 8 | +This product is now closed. Please visit our new developer documentation to see the new APIs we offer https://developer.vippsmobilepay.com/ |
8 | 9 |
|
9 | | -## Credentials Flow |
10 | | - |
11 | | -The Integrator Authentication solution is based on the OpenID/OAuth 2.0 specification. By following the OpenID Connect protocol, MobilePay makes it easy for integrators to integrate with MobilePay. Currently, the flow supported is the Client Credentials grant type. In the Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4), integrators pass along their `client_id` and `client_secret` (received in Step 5 above) to authenticate themselves and obtain an access token. The Credentials Flow is illustrated in the diagram below. |
12 | | - |
13 | | -[](/img/pos-sekvensdiagram.png) |
14 | | - |
15 | | - 1. The client app authenticates with the Authorization Server using its `client_id` and `client_secret` using the token endpoint. |
16 | | - 2. The Authorization Server validates the `client_id` and `client_secret`. |
17 | | - 3. The Authorization Server responds with an `access_token`. |
18 | | - 4. The Client application can use the `access_token` to call the PoS V10 API. |
19 | | - 5. The PoS V10 API responds. |
20 | | - |
21 | | -:::note |
22 | | -Oauth2 client secrets should not be stored in a way, where they can be accessed by someone from outside the integrator organisation. |
23 | 10 | ::: |
24 | | - |
25 | | -## Obtaining an access token |
26 | | - |
27 | | -This document only describes the token endpoint used to request an access token. A complete specification of the endpoints, responses and response codes for the Integrator Authentication API can be found in the [APIs section](https://sandbox-developer.mobilepay.dk/product). |
28 | | - |
29 | | -The token endpoint (`POST /connect/token`) is used when requesting an access token for an onboarded integrator client. The following |
30 | | -headers must be set: |
31 | | - |
32 | | -```json title="Headers" |
33 | | -Content-Type: x-www-urlencoded |
34 | | -Authorization: Basic (client_id:client_secret).toBase64EncodedString(). |
35 | | -``` |
36 | | - |
37 | | -The OAuth `client_id`and `client_secret` will be sent to the integrator in a closed zip file from [[email protected]](mailto:[email protected]) to integrators e-mail (step 4 in the [Client onboarding guide ](/docs/pos/development-guide/getting-started#step-4---receive-security-credentials)). |
38 | | - |
39 | | -In addition, the `grant_type` parameter must be set and a `merchant_vat` parameter may optionally be set as described below: |
40 | | - |
41 | | -| Parameter | Value | Description | |
42 | | -| --- | --- | --- | |
43 | | -| `grant_type` | client_credentials | The Client Credentials grant type is used by clients to obtain an `access_token` outside of the context of a user. | |
44 | | -| `merchant_vat` | DK12345678 or FI12345678 | VAT number of the merchant the integrator client is calling on behalf of. The VAT number consists of country prefix (either FI or DK) and 8 digits. | |
45 | | - |
46 | | -If the `merchant_vat` parameter is supplied, the VAT number will be added as a claim on the access token, and it will only be possible to use the access token to perform calls on behalf of the given merchant. If it is not supplied, the access token will not be restricted to a fixed merchant. Instead, clients will have to include a header on all calls to the PoS V10 API that includes the VAT number of the merchant the client is acting on behalf of, for the given call. |
47 | | - |
48 | | -Example of response body from SandBox environment: |
49 | | - |
50 | | -```json title="Response body" |
51 | | -{ |
52 | | - "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", |
53 | | - "expires_in": 3700, |
54 | | - "token_type": "Bearer", |
55 | | - "scope": "integrator_scope" |
56 | | -} |
57 | | -``` |
58 | | - |
59 | | -### Expected status codes |
60 | | - |
61 | | -You might encounter the following status codes : |
62 | | - |
63 | | -* `200 - OK` |
64 | | -* `401 - Unauthorized` if the client is not authorized/authenticated through the API Gateway |
65 | | - |
66 | | -### cURL example |
67 | | - |
68 | | -```json title="Example" |
69 | | -curl --location --request POST 'https://api.sandbox.mobilepay.dk/integrator-authentication/connect/token' \ |
70 | | ---header 'Content-Type: application/x-www-form-urlencoded' \ |
71 | | ---header 'Authorization: Basic ({YOUR_CLIENT_ID}:{YOUR_CLIENT_SECRET}).toBase64EncodedString()' \ |
72 | | ---data-urlencode 'grant_type=client_credentials' \ |
73 | | ---data-urlencode 'merchant_vat=DK12345678' |
74 | | -``` |
75 | | - |
76 | | - **Environments:** |
77 | | -The following URLs are the environment routes for the Integrator Authentication API |
78 | | - |
79 | | -* SandBox: `https://api.sandbox.mobilepay.dk/integrator-authentication` |
80 | | -* Production: `https://api.mobilepay.dk/integrator-authentication` |
0 commit comments