Menu

Interpreting the Redirect Response

After your application redirects the merchant to Cybersource, the following sequence occurs.
  1. Merchants not logged in to the Business Center at the time of the redirect are prompted to do so. Merchants with expired credentials are prompted to reset them, after which they must click the redirect link again.
  2. The Business Center page opens, stating the partner's name along with the permissions that the partner is requesting from the merchant. If the merchant logged in using an account with sufficient privileges, the they are prompted to choose
    Allow
    or
    Deny
    . If the logged-in user does not have sufficient privileges, the
    Allow
    button is disabled.
  3. If the merchant clicks
    Deny
    , Cybersource redirects the merchant to the URL that you defined in your
    redirect_url
    parameter with no parameters appended to it. This is not a failure but a denial of permission by the merchant's representative. The denial does not prohibit any future attempt for this or any merchant.
  4. When the merchant clicks
    Allow
    , Cybersource redirects the merchant to the URL that you defined in your
    redirect_url
    parameter.
    The redirect URL in Cybersource's response is encoded with at least one of the following parameters.
Parameter
Description
code
The authorization code that your application sends to Cybersource when requesting an access token (during the next step of the authentication process). For security reasons, the authorization code expires in
ten minutes
. If it expires, you must repeat the redirect to request another.
state
This parameter is returned only if it was submitted in the request. It is used to test for possible CSRF attacks. If the state values from the request and response do not match, you could be the victim of a CSRF attack, and you should display an HTTP 401 error code in response.
Back to top