Transparent authentication does not work

[alaporterie]

Hi,

I use your Android SDK for SumUp Air.

On my Android app, I perform POST on "https://api.sumup.com/token" with my client credentials, I succeeded to get an access token. But when I use this access token and my affiliate credential, I got an error "INVALID TOKEN".

I performed several tests without success. The transparent authentification is mandatory for us. Do you have an idea please ?

When I created client credentials, I have choosen "Android" as application type, I do not know what Authorized redirect URI enter.

Thank you, Anthony

[Angus-Fisher]

Hi Anthony,

It sounds like you're creating a token using the 'client credentials' grant type, which does not authorise a merchant account. If that is the case, please use the 'password' grant type if you only plan to use one merchant account, or the 'authorization code' grant if you plan to let other merchants use your application.

If you use the authorization code grant, the 'Authorized Redirect URI' is where the code will be returned to after the user authorises your application.

If you have any further questions, please send an email to integration@sumup.com.

Angus

[alaporterie]

Hi Angus,

I intend to perform actions on behalf of the merchant, to directly call SumUp Android services.

So if I understand, I have to call POST /token with grant_type='authorization_code' and give also the code. But how I can get this code?

If I call POST /authorize with response_type='code', I get an error "access token required".

Could you help me please?

Thank you, Anthony

[Angus-Fisher]

Hi Anthony,

The code is created once the merchant has logged in and authorized your application, and is returned to the authorized redirect uri you specified when setting up the client as a URL parameter. The detailed steps are shown in the documentation here:

http://docs.sumup.com/oauth/#header-authorization-code-grant

Angus

[alaporterie]

Hi Angus,

In our use case, our users can not enter login and password to connect to SumUp API. We want a transparent connexion to SumUp platform to use Android SDK. If you prefer you want a transparent connexion for the merchant, which in our case are our employees.

We want to use directly SumUpLogin.builder("ourAffiliateKey").accessToken("OUR_ACCESS_TOKEN").build() in our Android app.

Thank you, Anthony

[Angus-Fisher]

Hi Anthony,

If the users of the application are your employees, then you should know the username and password of the merchant account and/or the employee accounts. With these detail you can use the password grant type to generate the token(s) and authenticate with the SDK.

If this is still unclear please get in contact with integration@sumup.com.

Cheers,

Angus

[alaporterie]

Hi Angus,

It's not only our employees, it's also a thousand of partners. So it's not acceptable for us they have to enter manually login/password in the Android app.

In your documentation, you indicate "To authenticate an account without the user typing in their SumUp credentials each time, you can generate an access token using OAuth2.0 and use it to transparently login to the SumUp SDK." So without typing each time SumUp credentials, you mean to call this WS? POST https://api.sumup.com/token "grant_type=password&client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET&username=MY_USERNAME&password=MY_PASSWORD"

Thank you, Anthony

[jahenry]

Hi Anthony

Please reach out to integration@sumup.com -

Can you share a little more about your use case and the desired user flow so that we can nail down the correct implementation?

Thanks James

[ital0]

@alaporterie here we are doing exaclty this. User only login once and then we "re-authenticate" him every time that access_token expires, using refresh_token. Doesn't matter if the access_token has been expired for 1 minute ou 1 day, it always be refreshed. But you need to create a logic combining SumUpSDK and SumUpAPI. SumUpSDK wont do this for you alone.

One flow that you can follow is:

1) User logs in using https://api.sumup.com/authorize (it's an webview); 2) API will call your app scheme url (something like app://); 3) You will receive access_token, refresh_token and the time for expiration; 4) Now you pass to SumUpSDK to authenticate with token (a.k.a transparent auth); 5) If your token expires, just do a call to API to refresh it.

(sorry for any mistakes in my english)

[imran-samed]

Hi Angus, It's not only our employees, it's also a thousand of partners. So it's not acceptable for us they have to enter manually login/password in the Android app. In your documentation, you indicate "To authenticate an account without the user typing in their SumUp credentials each time, you can generate an access token using OAuth2.0 and use it to transparently login to the SumUp SDK." So without typing each time SumUp credentials, you mean to call this WS? POST https://api.sumup.com/token "grant_type=password&client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET&username=MY_USERNAME&password=MY_PASSWORD"

@jahenry I'm want this same, can you please guide, how can i do this...??

[imran-samed]

On my Android app, I perform POST on "https://api.sumup.com/token" with my client credentials, I succeeded to get an access token. But when I use this access token and my affiliate credential, I got an error "INVALID TOKEN".

Hi @alaporterie can you please share your liitle work about this, how you get access token, because i'm not able to get access token using this url.

[jahenry]

Hi @imran-samed

For many individual SumUp merchant accounts to authenticate via oAuth, you can use the Authorization Code Grant, illustrated: http://docs.sumup.com/oauth/#header-authorization-code-grant Note: please make the URL call first to allow the user to authenticate and authorize, followed by the post request to retrieve a token.

This will allow you to retrieve a refresh token and an access token. The access token can then be passed to the SDK via the https://github.com/sumup/sumup-android-sdk#5-transparent-authentication functionality, thereby removing the requirement for a second time entering of sumup merchant account credentials.

Trust that helps.

James

[meurig]

@alaporterie here we are doing exaclty this. User only login once and then we "re-authenticate" him every time that access_token expires, using refresh_token. Doesn't matter if the access_token has been expired for 1 minute ou 1 day, it always be refreshed.

The docs say the refresh token expires after 6 months (by default), and that after it expires you need to go through the whole flow again, with the user reauthorising the app . Have you found this to be a problem? What do you do when the refresh token expires?

Many thanks,

Meurig

[JullianSU]

Hi Meurig,

Following our conversation via email, a new refresh_token has to be reissued. For that, the merchant has to give consent again for security purposes.

Many thanks,

[semirturgay]

Hi @Angus-Fisher , The transparent authorization is also required for our app, so i did a call to

POST https://api.sumup.com/token with the body { grant_type: "password", client_id: "%YOUR_CLIENT_ID%", username: "%YOUR_USERNAME%", password: "%YOUR_PASSWORD%" }

and obtained an access_token, but when i do : SumUpLogin.builder(affiliateKey).accessToken(accessToken).build();

I got the invalid token error. i didn't get why it is not working for me.

[JullianSU]

Hi @semirturgay,

Thank you for taking the time to contact us. Could you please share your client_id or Merchant ID at integration@sumup.com.

Many thanks,

[semirturgay]

@JullianSU sent. thanks 👍

[pimvdmolen]

@semirturgay Did you manage to solve the problem after you sent the email to sumup? I've got the exact same issue and sent multiple mails but they didn't come up with a solution yet.

[ghost]

@semirturgay Did you manage to solve the problem after you sent the email to sumup? I've got the exact same issue and sent multiple mails but they didn't come up with a solution yet.

How did you solved this. Thanks.