Open marcoscaceres opened 6 months ago
Hey Marcos,
The Payment Request API is suitable for pull payments where the communication needs to be 2-way. Also it needs active integration work from the merchant side.
The proposed solution is focused on push payments, where the payment actually happens out of band from the payer to payee. In this scenario, we provide an easy way for the merchants to make use of the browser capabilities with a lightweight change, and doesn't require any active integration. This would mean the merchants don't need to drastically change their current workflows, which is an important factor to consider. Please note that the merchants already have a way to handle out of band notification upon push payment completion (Example: a QR is displayed and the merchant waits for an out of band communication about payment completion). So this can be treated as a purely 1-way (passive) communication, and the browser isn't required to pass back any data to the merchant.
So we should treat this proposal not as a replacement but as a solution that complements Payment Request API, so we have solutions for both push and pull payments.
Right, but what about the custom schemes? The core of my question was related to those. Relying on custom schemes doesn’t seem like a viable solution.
Hi @marcoscaceres, thank you for the link to @RByers 's doc!
Is my understanding correct: that doc raises concerns about how an OS handles schemes to invoke an installed application? E.g., Android's data element for intent-filters can specify a custom scheme:
<intent-filter . . . >
<data android:scheme="something" android:host="project.example.com" />
...
</intent-filter>
The payment link explainer states:
"The browser is responsible for detecting the presence of a "payment" link in any page. It then notifies the payment clients that have registered the associated scheme for receiving "payment" links."
And that sounds extremely similar to what @RByers was describing in Concerns with custom schemes doc:
"use of custom URL schemes (eg.
openid4vp:
andmdoc:
) to enable verifier websites to invoke holder (wallet) applications"
In summary, I think what @RByers was trying to say: A user agent should not simply forward URLs to the apps installed on the device, because that may result in bad user experience and other issues.
I don't have the full context for what alternative was proposed due to Concerns with custom schemes, but I think it's safe to say that the Chrome team should keep these concerns in mind when designing and implementing this feature.
Would you suggest moving away from custom schemes (the explainer mentions upi
, bitcoin
, and paypal
) toward the standard https
?
One strawman solution to the raised concerns: Make the user agent be a mediator for the payment links, so it can determine what to do with different schemes, before possibly invoking a "payment client" to handle the payment link. If that can be used to alleviate the concerns, should that be in the upcoming spec?
Cheers! 🍻 Rouslan
Thank you @rsolomakhin for chiming in.
Hey @marcoscaceres I wanted to add a little more context on how we are thinking about custom schemes.
bitcoin bitcoincash ethereum payto, which includes a broader range of schemes including ACH, IBAN, Bitcoin, UPI etc.
Moving away from a scheme-based approach will make these standards less usable.
Based on my limited understanding of the concerns with custom schemes for identity, I wanted to share a few thoughts in the context of push payments.
For security, we are looking into adopting the approach followed by UPI with the help of digital signatures. The UPI URL contains a MID (merchantId) and a signature, and there are lookup services made available by UPI to lookup the public key for a given MID. This way the payer is able to cryptographically verify the authenticity of the payment link before proceeding with the payment. This is all possible with UPI due to their centralized infrastructure that facilitates such use cases. We can follow a similar approach but utilize decentralized identifiers (did:web to begin with but can be expanded in future to other DID methods) instead of MIDs. We think we can begin with did:web which will help us to piggyback on the https security. We are still ironing out the details and going through security reviews, and are hoping to share with the broader audience once we have internal alignment.
In its simplest form, the solution can be something like we reserve a couple of query parameters in the URL, like did-url and paymentlink-signature. The Browser can look for these fields and independently verify the payment link. The did-url itself can be trusted only if the hosting domain returns a static header containing the did-url. Such an approach will help us rely on the security of the hosting domain and will provide protection against XSS attacks to a great extent.
So to summarize, the Browser will have 2 responsibilities:
With this added context, we would love to hear your thoughts/feedback on the approach and whether there are bigger concerns on the usage of custom schemes.
The Payment Request API is suitable for pull payments where the communication needs to be 2-way
Yes and no…it’s suitable for push payments. We had a lot of discussion about this when we first created the spec. An Open Banking payment is a push payment and you could quite happily support that with Payment Request.
The API contract does necessitate two way communication - that I think is the problem here - but that doesn’t mean we couldn’t use the same data structures. One part of PaymentRequest is defining a standardised interface for describing payment methods you support and what the payment is compromised of…this seems like it potentially could be used here?
Thanks @nickjshearer. Agreed that open banking payments are push payments. And happy to chat more if there are ways to make things work with Payment Request, keeping in mind that the goal is to make it really light weight for the PSPs to incorporate.
Sharing a few more details on the thought process and how we internally concluded that payment links will be a viable solution that has higher changes for the PSPs to adopt.
Taking Pix in Brazil as an example. Pix has already established a standard for payment target by utilizing the EMVCo QR standard. All the payment details are part of the Pix code, so ideally we shouldn't add an overhead for the PSPs to also embed the same details in a different format. Even if a PSP is agreeing to do it, it wouldn't add much value. This is because the wallet provider can extract all the relevant payment details from the Pix code. If anything is missing in the Pix code, there are backend services that can provide such missing information.
So now we are left with the problem of identifying the payment method, which can be solved with the help of custom schemes (keeping the security considerations aside).
So overall, we are looking at a very light weight change for the merchants/PSPs on top of what they already do. Which is to wrap the same payment target in the form of a payment link.
Please share your feedback and would love to chat more if there are other approaches to consider.
@rsolomakhin and @stephenmcgruer please feel free to add anything that I missed.
@aneeshali wrote:
So now we are left with the problem of identifying the payment method, which can be solved with the help of custom schemes (keeping the security considerations aside).
An alternative method for identifying the payment scheme is to put it in the path, i.e., change from (1) to (2):
But then we would encounter the problem of having a valid-looking URL that does not necessarily maps to a meaningful location on the web.
I agree @rsolomakhin that the first option is better for clearer semantics.
If there are no further comments on this topic, I would like to resolve this issue and move forward.
Before we close this down, @marcoscaceres and @nickjshearer - Do you have suggestions on how to improve payment links from your perspective, e.g., to make other implementers jobs easier?
Wouldn't this have the same issues that were discussed here (even though those were for identity, but same thing applies here I think): https://github.com/WICG/digital-identities/blob/main/custom-schemes.md
Some platforms have moved away from using custom schemes... this seems to encourage them, which doesn't seem great.