I'm developing a oAuth service (I'm thinking so. It might not be exactly the same.) to open one of our back end API to a Merchants.
basically users can purchase goods from Merchant's E-Commerce website and can use our payment gateway to do the payment.
we have registration system for merchants and users and we are issuing a ID(publically available alpha numeric ) to them.
My plan is for oAuth service.
1) First merchant sends above mentioned id to our oAuth server.
2) Then oAuth server sending token, refresh token and expiry time as response.
3) Then merchant sends that token with other required information such as amount again to oAuth server to open our payment gateway web interface.
4) user use that interface to provide his ID and pin to confirm the transactions.
5) Then from over oAuth server we call our back end RESTFull service to do the actual transaction (Merchant account receive money and customer account will debited)
6) After completion of transaction we redirect user again to merchant's website.
*All the communications are done via https channel.
I'm in doubt for
1) Whether my approach is correct to secure the above given flow.
2) Do I really need a tokens here or only ID is enough? If I only used ID what I'm going to missing here.
3) If so only ID is enough to obtain a token?
3) Is there any possibility that some one can cheat the process.
Expecting you advices on this.
Aucun commentaire:
Enregistrer un commentaire