Introduction to OAuth 2.0 Integration

OAuth 2.0 enables your
Cybersource
 merchants to securely grant your web-application permission to perform actions on their behalf, such as accessing their customer data and processing transactions. As a technology partner, you can integrate OAuth 2.0 into your web-application through
Cybersource
. When your integration is complete,
Cybersource
 authenticates merchants for you, ensuring that your web-application only performs actions authorized by the merchants. This authentication method securely connects your web-application to the merchant account without the need to receive or store sensitive merchant credentials in your system.
This guide explains how to set up and enable OAuth 2.0 for your web-application.
IMPORTANT
OAuth integration through
Cybersource
 is in the pilot phase. To join the pilot program, and to know which API requests are OAuth-enabled, contact
Cybersource
 support:

How to Implement OAuth 2.0

This overview describes the steps that you and the merchant must complete to implement OAuth.
  1. You enable mutual authentication by obtaining a Certificate Signing Request (CSR) from a supported certificate authority (CA). After obtaining a CSR, you provide your common name details to
    Cybersource
    . For more information, see Enable Mutual Authentication.
  2. You register your web-application in the
    Business Center
    . You set a scope of permissions and a redirect URL to your web-application. For more information, see Register Your Application.
  3. The merchant visits your web-application, provides their credentials, and clicks a button or link to complete the permission process.
  4. Your application redirects the merchant to a
    Cybersource
    -hosted webpage. For more information, see Register Your Application.
  5. The merchant logs in to the
    Business Center
     and grants your web-application permission to access their merchant account based on the scope you set previously. Notify the merchant that their account must have access to grant OAuth permissions to complete this requirement.
  6. Cybersource
     redirects the merchant to your application using the redirect URL you registered. An authentication code is appended to the redirect URL. For more information, see Interpreting the Redirect Response.
  7. Your application exchanges the authorization code with
    Cybersource
     for these two tokens:
    • Access token:
       A token to authenticate transactions using
      Cybersource
      . For more information about how to authenticate
      Cybersource
       transactions using this token, see Submit API Requests Using OAuth.
    • Refresh token:
       A token that you can use to request additional access tokens.
    For more information about requesting tokens, see Request the Access and Refresh Tokens.
    For more information about refreshing your existing tokens, see Refresh the Access Token and Refresh the Refresh Token.
To change the permissions the merchant grants you, you must repeat steps 2–7.
You can view examples of these steps in the demo application. You can also view the code for the sample application.
You must obtain test merchant credentials to emulate the access delegation. Your test account must contain at least one card-based transaction from within the past 7 days.
To test your own application, you can use the certificate that is available with the
Cybersource
 sample application code on Github.