Redirect the Merchant

Your application must redirect the merchant to Cybersource so that the merchant can log in with their Cybersource credentials and provide permissions for your application.

IMPORTANT

A merchant giving permissions to your application must log in as an Account Owner or Account Administrator.

After the merchant provides or denies permissions for your application, Cybersource redirects the merchant to the redirect URL that you provided when you registered. If the merchant attempted to grant permissions using an account with insufficient privileges, the redirect response is the same as when a merchant denies permission.

When you redirect the merchant to Cybersource, encode the URL with the following parameters as a query string:

URL-Encoded Query Parameters in Your Redirect
Parameter Name	Required	Notes
sub	Yes	Must be set to oauth .
client_id	Yes	The client ID that you received when you registered your application in the `Business Center`.
redirect_url	Yes	The page to which `Cybersource` redirects the merchant after the merchant grants your application permissions. The value of the redirect_url parameter must exactly match the redirect URL that you supplied during registration.
state	No	Value that is sent in the response to prevent malicious interception, such as a CSRF attack.

Sample Redirect for Testing

https://businesscentertest.cybersource.com/ebc2/oauth/authorize?sub=oauth&redirect_url=
https://www.example.com&client_id=yourClientId&state=StateValue

Sample Redirect for Production

https://businesscenter.cybersource.com/ebc2/oauth/authorize?sub=oauth&redirect_url=
https://www.example.com&client_id=yourClientId&state=StateValue

Interpreting the Redirect Response

After your application redirects the merchant to Cybersource, this sequence occurs.

Merchants not logged in to the Business Center at the time of the redirect are prompted to do so. Merchants with expired credentials are prompted to reset them, after which they must click the redirect link again.

The Business Center page opens, stating the partner's name along with the permissions that the partner is requesting from the merchant. If the merchant logged in using an account with sufficient privileges, the they are prompted to choose

Allow

Deny

. If the logged-in user does not have sufficient privileges, the

Allow

button is disabled.

If the merchant clicks

Deny

, Cybersource redirects the merchant to the URL that you defined in your

redirect_url

parameter with no parameters appended to it. This is not a failure but a denial of permission by the merchant's representative. The denial does not prohibit any future attempt for this or any merchant.

When the merchant clicks

Allow

, Cybersource redirects the merchant to the URL that you defined in your

redirect_url

parameter.

The redirect URL in the Cybersource response is encoded with at least one of these parameters:

Parameter	Description
code	The authorization code that your application sends to `Cybersource` when requesting an access token (during the next step of the authentication process). For security reasons, the authorization code expires in ten minutes . If it expires, you must repeat the redirect to request another.
state	This parameter is returned only if it was submitted in the request. It is used to test for possible CSRF attacks. If the state values from the request and response do not match, you could be the victim of a CSRF attack, and you should display an HTTP 401 error code in response.