Authorize.Net Direct Post impending end-of-life

[rhoerr]

Moved from https://github.com/magento/magento2/issues/20230

Summary (*)

Magento 2.0-2.3.0 implements the Authorize.net Direct Post payment method, using Authorize.Net's AIM NVP (name-value pair) and DPM (direct post method) APIs.

Per Authorize.Net's published API Upgrade Guide, both AIM and DPM are deprecated, and DPM will be discontinued entirely on production as of 2019-07-01. At that point, anyone using the Authorize.net Direct Post payment method will presumably be unable to accept further payments.

https://developer.authorize.net/api/upgrade_guide/#dpm

Direct Post Method (DPM) STATUS: Deprecated. To be disabled in Sandbox 7/1/2018. Production End of Life 7/1/2019. ALTERNATIVE SOLUTION: Use Accept.js. DESCRIPTION: With the release of Accept.js, we have begun to deprecate and sunset our legacy DPM product. Going forward, we will correct bugs with DPM, but will not add any new functionality. We will end support for DPM in Sandbox on July 1, 2018, and will discontinue DPM entirely on July 1, 2019. We encourage you to upgrade your DPM solutions to use Accept.js.

Further, Authorize.Net will be disabling the MD5 hash configuration setting by 2019-02-01, at which point it won't be possible for new merchants to configure and enable the Direct Post payment method. https://developer.authorize.net/support/hash_upgrade/

Examples (*)

N/A

Proposed solution

Implement a modern Authorize.Net API.

[rhoerr]

Update, Authorize.Net has changed their EOL plans for DPM. Direct Post Method is still deprecated, but end of life date is now "to be determined".

Direct Post Method (DPM) STATUS: Deprecated. Sandbox and Production End of Life TBD. ALTERNATIVE SOLUTION: Use Accept.js. DESCRIPTION: With the release of Accept.js, we have begun to deprecate and sunset our legacy DPM product. Going forward, we will correct bugs with DPM, but will not add any new functionality. While DPM is deprecated, dates for Sandbox and Production end-of-life are to be determined. We encourage you to upgrade your DPM solutions to use Accept.js.

To my knowledge, the MD5 hash deprecation date is still in play, meaning the current solution will still be unusable for new merchants in another month.

Thanks @mpchadwick for the catch.

[pmathbliss]

Can the MD5 field be used with the API Key? I'm guessing no, but want to keep track of this.

[ArthurSCD]

I've been surprised the lack of discussion I've been able to find on this as well, as I work with a lot of Authorize.net Magentos.

If I am understanding the notice correctly, MD5 that is already created/connected before Feb 1, 2019 will work until it's announced they won't.

However starting February 1, 2019 - I believe Authorize.net settings in Magento 2 will no longer be able to be set nor updated. As there will be no way to generate the MD5 hash, which Magento 2 requires.

[buskamuza]

Moving to Accept.js is currently in development internally. Targeting Magento 2.3.1.

cc @piotrekkaminski, @joni-jones , @nathanjosiah

[robolmos]

Moving to Accept.js is currently in development internally. Targeting Magento 2.3.1.

Will there be an update for 2.2.x as well or only 2.3.x?

[nathanjosiah]

@rhoerr @mpchadwick The new implementation supports the MD5 mechanism but is also implementing the new SHA-512 mechanism as well.

@robolmos A backport of these changes is currently being discussed but there hasn't been any decisions that have been made.

[Shimon2]

When I called Authorize.net support they told me that MD5 End Of Life will definitely be happening on February 1st. Granted that is coming from a support tech who may not know everything.

That said, I have not heard anything official that there will be a version that supports transHashSHA2 nor have heard anything official that MD5 will continue to work. Complete uncertainty.

Does anyone have an official answer for this issue? Are we going to wake up February 1st with a web site that can't accept Credit Cards ? I really would like to hear something from the "Powers That Be" so that I don't have to panic.

Thanks,

[nathanjosiah]

@Shimon2 the new official Magento 2 core module that is nearing completion and is scheduled to be available in 2.3.1 will support the new algorithm as well as the old. Authorize.net documentation states that both will continue to function but the old md5 option will no longer be in their interface https://developer.authorize.net/support/hash_upgrade/ I recognize that their documentation has discrepancies from time to time however rest assured the new module is almost ready.

[danieljoeblack]

@nathanjosiah Is there any more word on whether it will be available for 2.2.x?

[nathanjosiah]

@danieljoeblack Unfortunately I still don't have any details to share regarding 2.2.x.

[Beowulf891]

Are there any details for Magento 1?

[nathanjosiah]

@Beowulf891 Unfortunately I don't have any information to share regarding backports at this time.

[nathanjosiah]

It's worth noting to everyone following this thread that since this thread was created, Authorize.net has removed the July end-of-life date for DPM and it now says:

Direct Post Method (DPM)

STATUS: Deprecated. Sandbox and Production End of Life TBD.

So it looks like there will be a little bit more time to upgrade once the new core support has been released.

[Jeevachezhiyan]

I think they are going to completly stop the MD5 Hash element in the API response after 2-3 months.

On Feb first week , they are going to remove MD5 Hash setting in the Merchant Interface.There are no changes to the existing API response.

Please find the link below,

https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement

[ArthurSCD]

Are there any details for Magento 1?

Just an fyi, from my experience most Magento 1's weren't setup with Direct Post, instead using the other method that does not require MD5 Hash.

[styzzz]

so, we will have to upgrade to Magento 2.3 in order to use Authorize.net??

[nathanjosiah]

@styzzz The timeline and versions for a backport are currently being discussed.

[meetvora21]

Any body have an idea about this ... !! What can we do in Magento 1.9.3 versions ?

[ArthurSCD]

Has there been any ETA on 2.3.1 ?

Basically Authorize currently can't be setup on M2 now, right?

[styzzz]

M2 does work with Authorize.net right now. Both versions 2.1, 2.2 work.

But that may not be true in the future. We are all waiting to see !

On Thu, Feb 7, 2019 at 3:52 PM Arthur notifications@github.com wrote:

Has there been any ETA on 2.3.1 ?

Basically Authorize currently can't be setup on M2 now, right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-461591105, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlol5IaKZI8hW-NITIeLIzumlhxYrqks5vLJH3gaJpZM4Z-NEk .

[ArthurSCD]

It works yes, but since we can't generate MD5's anymore, I don't think you can set new credentials, right?

If your MD5 was already set, it still works, yes.

[rhoerr]

It works yes, but since we can't generate MD5's anymore, I don't think you can set new credentials, right?

That's correct. Until the updated integration is released (expected in 2.3.1 per above), anyone not already using Direct Post will need to use a different payment method or a third-party solution.

[ArthurSCD]

@nathanjosiah When convenient, would greatly appreciate any further info you can offer on like estimated 2.3.1 release or an Authorize.net patch. Not sure if I'm just looking in the wrong places but surprised I haven't found more dealing with the fallout of Authorize.net no longer being able to be setup for Magento 2.

[nathanjosiah]

@ArthurSCD I do not have an estimated release date to share. The new module was merged into the public 2.3-develop branch early today but isn't available in a release yet. We understand the frustration and concerns that this situation presents and apologize for the inconvenience.

[ArthurSCD]

@nathanjosiah No need to apologize, I totally understand. I just work with a lot of M2s that use Authorize so I'm trying to stay knowledgeable on this issue and even consider a temporary solution or patch if possible. Thanks for the update.

[karamveer-cipl]

@nathanjosiah @rhoerr We also getting same challenges and due to this can't go live. Just waiting for a fixed solution also Is there any hope we've required release soon ?

[Shimon2]

Authorize.net just sent me this:

• Sandbox will be updated on March 7, 2019 to stop populating the MD5 Hash value, the field will still be present but empty. • Production will be updated on March 14, 2019 to stop populating the MD5 Hash value, the field will still be present but empty.

If I understand this correctly this means the M2 sites that uses Authorize.net will be broken on March 14th. Can we organize somehow to tell Authorize.net that we will have to find a different platform on that date. Stripe contacted me about moving to them. I have not pursued this yet.

[FaeriesDance]

If I understand correctly, Magento 2.3.1. will not be out before Authorize.net kills MD5 hash. Commenting in hopes of staying on top of this topic. As a business owner, I'm not sure what to do.

[rohan5894]

Looks like a very big problem as i have many clients using Authorize.net within their Magento 2. I don't want to move them to a CIM solution and no news till now from magento regarding a fix to this.

[bhargavmehta]

@rohan5894 , I guess @magento-engcom-team is already working on the solution Check the below link https://github.com/magento/magento2/tree/2.3-develop/app/code/Magento/AuthorizenetAcceptjs

Thank you

[nathanjosiah]

@bhargavmehta @rohan5894 Yes that is correct. The referenced module is complete and scheduled to be released with 2.3.1. It doesn't use Direct Post and it supports the new hashing algorithm in addition to the deprecated Md5 algorithm.

[rohan5894]

@bhargavmehta @nathanjosiah Thanks for the Update 👍 Any update as to when 2.3.1 is releasing?

[nathanjosiah]

@rohan5894 Unfortunately, a release date for 2.3.1 is not publicly available yet. However, we understand the urgency of the current situation.

[Shimon2]

@nathanjosiah , Have you contacted Authorize.net and asked them to push off the date?

[ArthurSCD]

@nathanjosiah Is it possible for a patch outside of 2.3.1 or is that too much work/trouble/not possible.

[nathanjosiah]

@ArthurSCD I don't have an official statement regarding a patch. From a technical perspective the module is built standalone but it requires the Magento Payment Gateway infrastructure so there would be some minimum 2.x version requirement for the patch to be applied.

[Shimon2]

@nathanjosiah , If Authorize.net won't push off the date, perhaps we can organize a mass exodus from Authorize.net. I would hope that this possibility would get their attention. I called them and they were not aware that 2.3.1 was not ready. Does anyone have a good alternative to Authorize.net that they can recommend?

[nathanjosiah]

@Shimon2 I have not used this extension personally and I'm not aware of an official Magento endorsement, however, during the development of the new official module I discovered that Authorize.net has an official extension in the Magento marketplace. I'm not sure if it has feature-parody with the official Magento module nor do I know the level of support that Authorize.net offers for issues but I'll leave the link here nonetheless.

[Shimon2]

Authorize.net just called me and said that 2.3.1 should be ready by February 28th. Does anyone at Magento care to confirm or deny this?

[nathanjosiah]

@Shimon2 I'm not sure why Authorize.net is giving those dates. There have been no publicly released dates as of now.

[Shimon2]

@nathanjosiah I spoke with Omar at Authorize.net and he told me that they reached out to the Magento development team to get that information. If this is not so, then I definitely need to find an alternative to Authorize.net. I told them that I needed to look for alternatives to Auth.net. They were understanding, but offered no concrete solutions.

[joni-jones]

@ArthurSCD you can try to apply the patch with the fix for 2.2.8 Auth.net.md5.patch.zip

[FaeriesDance]

@nathanjosiah , Have you contacted Authorize.net and asked them to push off the date?

I did, and they said Magento had been informed of the migration last year and if Magento wasn't ready it was basically their problem and no extensions would be forthcoming even if it meant losing a bunch of customers. (In an only slightly nicer way than what I just typed there.) Of course, I don't work with them directly, so I may not have had the right person on the phone, but he wouldn't even transfer me to anyone else.

[perryholden]

Does anyone know if this affects Authorize.net CIM at all? Or does it only affect the Direct Post method?

[rhoerr]

Does anyone know if this affects Authorize.net CIM at all? Or does it only affect the Direct Post method?

It affects any Authorize.Net payment method that uses MD5 hash validation. Magento uses them for its Direct Post method. Other integrations may or may not.

Magento doesn't implement Authorize.Net CIM out of box, so you must be referencing a third-party extension, and that entirely depends on the specific extension. ParadoxLabs' Authorize.Net CIM integration is not affected, but I can't speak to any others.

[perryholden]

Magento doesn't implement Authorize.Net CIM out of box, so you must be referencing a third-party extension, and that entirely depends on the specific extension.

@rhoerr - You are correct. That was an oversight on my part. Thank you very much for clarifying.

[viktym]

@rhoerr @Shimon2 Supporting SHA-512 mechanism for Authorize.Net 2.2 release line will be available in 2.2.8 patch release (actually both MD5 and SHA512 will be supported) For the urgent purpose, you can apply the patch published by @joni-jones It is an official patch from upcoming release. https://github.com/magento/community-features/issues/127#issuecomment-467263806 There was introduced new credentials field - Signature Key. You should generate this key in Authorize.Net account and save it in Magento. See https://support.authorize.net/s/article/What-is-a-Signature-Key

[Shimon2]

@viktym When will this patch be available. We need some time to install and test before going live. Thanks.

[viktym]

@Shimon2 There have been no publicly released dates for now. Approximately It should be in March. You can apply this patch for testing

[Shimon2]

@viktym Thank you. That is almost reassuring. Excuse my ignorance, but what versions can I apply this patch to? We are currently at 2.2.2 .