Introduction to OAuth 2.0 Integration
OAuth 2.0 enables your
Barclays
merchants to securely grant your
web-application permission to perform actions on their behalf, such as accessing their
customer data and processing transactions. As a technology partner, you can integrate
OAuth 2.0 into your web-application through Barclays
. When your
integration is complete, Barclays
authenticates merchants for you,
ensuring that your web-application only performs actions authorized by the merchants.
This authentication method securely connects your web-application to the merchant
account without the need to receive or store sensitive merchant credentials in your
system. This guide explains how to set up and enable OAuth 2.0 for your web-application.
IMPORTANT
OAuth integration through
Barclays
is in the
pilot phase. To join the pilot program, and to know which API requests are
OAuth-enabled, contact Barclays
support:How to Implement OAuth 2.0
This overview describes the steps that you and the merchant must complete to
implement OAuth.
- You enable mutual authentication by obtaining a Certificate Signing Request (CSR) from a supported certificate authority (CA). After obtaining a CSR, you provide your common name details toBarclays. For more information, see Enable Mutual Authentication.
- You register your web-application in theSmartpay Fuse Portal. You set a scope of permissions and a redirect URL to your web-application. For more information, see Register Your Application.
- The merchant visits your web-application, provides their credentials, and clicks a button or link to complete the permission process.
- Your application redirects the merchant to aBarclays-hosted webpage. For more information, see Register Your Application.
- The merchant logs in to theSmartpay Fuse Portaland grants your web-application permission to access their merchant account based on the scope you set previously. Notify the merchant that their account must have access to grant OAuth permissions to complete this requirement.
- Barclaysredirects the merchant to your application using the redirect URL you registered. An authentication code is appended to the redirect URL. For more information, see Interpreting the Redirect Response.
- Your application exchanges the authorization code withBarclaysfor these two tokens:
- Access token:A token to authenticate transactions usingBarclays. For more information about how to authenticateBarclaystransactions using this token, see Submit API Requests Using OAuth.
- Refresh token:A token that you can use to request additional access tokens.
For more information about requesting tokens, see Request the Access and Refresh Tokens.For more information about refreshing your existing tokens, see Refresh the Access Token and Refresh the Refresh Token.
To change the permissions the merchant grants you, you must repeat steps 2–7.
You must
obtain test merchant credentials
to emulate the access delegation. Your
test account must contain at least one card-based transaction from within the past 7
days.