Search code examples
transactionspayflowpropaypal

PayPal PayFlow Pro with Transparent Redirect - User Authentication Failed Issues / Documentation


I'm having some difficulty integrating - and finding current documentation for - integrating PayPal PayFlow Pro into my website.

There is a similar question here for PayFlow Link - https://stackoverflow.com/questions/15808604/result-1-respmsg-userauthenticationfailed-in-test-transaction-for-mastercard - but I wanted to go into the specifics.

I want to use the Transparent Redirect feature with the SILENTTRAN option so that:

  1. the credit card data is sent directly to the gateway (i.e. not through my server)
  2. the user is redirected back to a nominated page to confirm the transaction or error (reponse page).

I'm currently reading through this document: https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/payflowgateway_guide.pdf

This is listed as Payflow Gateway Developer's Guide(PDF) on this page - https://developer.paypal.com/webapps/developer/docs/classic/products/payflow-gateway/ - so I'm assuming it is the current documentation.

According to page 28, the process should be:

  1. The customer clicks Buy to purchase merchandise on your website. [DONE]
  2. You request a secure token by passing a secure token ID to the Gateway server. In the request, you pass the name-value pair, SILENTTRAN=TRUE. This name-value pair prevents the hosted pages from displaying. [DONE]
  3. The Gateway server returns the secure token and your token ID to your website. [DONE]
  4. You display the credit card fields to the customer in a checkout page on your website. [DONE]
  5. The customer enters their credit card number, expiration date, and other sensitive data into the credit card fields and clicks Submit. [DONE] The browser posts the payment data directly to the Gateway server, avoiding your website and easing your PCI compliance requirements. [PROBLEMS HERE]

Below is an example of a secure token request for the transparent redirect. I've used placeholder in place of my actual live PayFlow Pro account details (this account states 'Payflow SDK/API (Full Access) Live' in the manager.paypal.com Service Summary), but I used my real PayPal credentials in the actual request. Likewise I used publicly accessible pages for my return URLs:

USER=MYUSER&VENDOR=MYUSER&PARTNER=VSA&PWD=MYPASSWORD&BILLTOFIRSTNAME=John&BILLTOLASTNAME=Doe&BILLTOSTREET=123 Fake Street&BILLTOSTREET2=&BILLTOCITY=Sydney&BILLTOZIP=2000&BILLTOPHONENUM=5555555555&[email protected]&BILLTOSTATE=NSW&AMT=0.05&RETURNURL=http://www.example.com&CANCELURL=http://www.example.com&ERRORURL=http://www.example.com&TRXTYPE=A&SILENTTRAN=TRUE&VERBOSITY=HIGH&CREATESECURETOKEN=Y&TENDER=C&SECURETOKENID=VDUOBDNLSXTLYAAAAAATLSEBLAAAAAAAAAA

I perform the token transaction using server-side code, and I can see that I'm getting a response back like so:

RESULT=0&SECURETOKEN=TOKENWASHEREsdsdfjkj&SECURETOKENID=VDUOBDNLSXTLYAAAAAATLSEBLAAAAAAAAAA&RESPMSG=Approved

So it seems like the account authenticates correctly here. I have confirmed in Fiddler that I am posting this request to https://payflowpro.paypal.com.

I then take that response and put this into a HTML form which posts back to the gateway, e.g.:

    <form id="form" action="https://payflowpro.paypal.com" method="post">

        <!-- <input name="MODE" class="inpPPField" id="hdn_pp_mode" type="hidden" value="Test"> -->

        <input name="SECURETOKEN" class="inpPPField" id="hdn_pp_securetoken" type="hidden" value="TOKENWASHEREsdsdfjkj">

        <input name="SECURETOKENID" class="inpPPField" id="hdn_pp_securetokenid" type="hidden" value="VDUOBDNLSXTLYAAAAAATLSEBLAAAAAAAAAA">

        <input name="CARDNUM" class="inpPPField" id="hdn_pp_CardNum" type="hidden" value="4111111111111111">

        <input name="EXPMONTH" class="inpPPField" id="hdn_pp_expMonth" type="hidden" value="11">

        <input name="EXPYEAR" class="inpPPField" id="hdn_pp_expYear" type="hidden" value="16">

        <input name="CVV2" class="inpPPField" id="hdn_pp_cvv2" type="hidden" value="123">

        <!--<input name="SILENTTRANS" class="inpPPField" id="hdn_pp_silenttrans" type="hidden" value="Y">-->

        <input name="VERBOSITY" class="inpPPField" id="hdn_pp_verbosity" type="hidden" value="HIGH">

        <input class="inpPPField" type="submit" value="Submit" />

    </form>
</body>

Please note that I used the same token ID and token as what was returned in the token reponse - these are placeholders. I also used an actual credit card number and other credit-card field values.

This is posting me to https://payflowpro.paypal.com, which just states the response (in the body of the page):

RESULT=1&RESPMSG=User authentication failed

Shouldn't this be returning me to my error page? Or is it failing earlier in the process so that the gateway never even tries to interpret the token and redirect? I've tried setting my return URLs to live website URLs, and it doesn't seem to be making a difference. I've also tried posting this from a publicly accessible web-server rather than localhost, but the result is the same.

One other problem I'm having is finding relevant documentation. There is a 'Payflow Service Testing' document here: https://ppmts.custhelp.com/app/answers/detail/a_id/456/kw/payflow%20pro%20transparent%20redirect%20error%20page%20get%20codes

This page is dated 2007, and the link under the Testing using Payflow Pro heading (i.e. The guide is available at x.com) is broken. The guide is a little vague, and the only examples of code I've found are in PHP (see https://go.developer.ebay.com/developers/community/blogs/pp_integrations_nate/payflow-transparent-redirect). I have rewritten the logic in the example as an ASP.Net application.

In summary, my questions are:

  1. Am I using the correct logic to process a credit card transaction?
  2. If not, can someone point out where I am going wrong, and where I can find the most relevant and current documentation
  3. A link(s) for the most current test procedure documents

My next idea is to try setting up an using a test account using these instructions: https://ppmts.custhelp.com/app/answers/detail/a_id/929/ Obviously this is for hosted PayFlow pages, but I suspect the procedure should be similar as long as I specify the SILENTTRAN option. I tried unsuccessfully to get the test account working earlier in the week, but it seems like the next logical thing to try at this point.

I have already opened a support ticket open with PayPal engineers and they are looking into this, but it would be great to know if anyone in the community has managed to resolve a similar issue.

EDIT: according to a PayPal engineer I just spoke to the SILENTTRANS value is only required in the secure token request. I have commented this out in the transaction request form above, but this did not solve the issue. We also confirmed that it is possible to do a non-secure-token (i.e. non-transparent-redirect) request to https://pilot-payflowpro.paypal.com/ using my account details.

EDIT 2: I have been instructed by PayPal to use https://payflowlink.paypal.com/ (not https://payflowpro.paypal.com) for the transaction post URL, but to continue using https://payflowpro.paypal.com for the token request. This does allow me to get through to my confirmation page using a transparent redirect (which is a great outcome), but it doesn't make a lot of sense to me that I'm using the 'payflowlink' rather than the 'payflowpro' gateway. I also found this tutorial which seems to support this https://go.developer.ebay.com/developers/community/blogs/ppintegrationsnate/new-payflow-gateway-tutorial

Can anyone using the PayFlow Pro Transparent Product please confirm that this is correct (or otherwise).


Solution

  • If you're going to use any feature related to the hosted checkout page you'll need to redirect to - https://payflowlink.paypal.com or https://pilot-payflowlink.paypal.com

    The Payflow Pro URL's are specifically for API calls and they aren't something you should be redirecting buyers through.

    Your account also needs to be the correct type to be able to use the hosted checkout feature. You can check what options are available to your account by logging in and checking the right side to see what products are enabled on your account.

    Documentation for transparent redirect is sparse. X.com had a few posts on it but those articles haven't been moved somewhere else yet.