Search code examples
oauthsquare-connect

Enabling OAuth support in Square Connect

I have an application that currently integrates into my merchant account using my access token. Early discussion with neighborhood merchants indicates some positive interest. I want to integrate OAuth support so that I can try to get traction with those merchants.

Though https://docs.connect.squareup.com/api/connect/v1/#navsection-oauth has information, I seek some additional clarification.

(i) Access using https redirect-url is denied at Square Connect Authorize has an answer "By default the OAuth flow is disabled for applications which is why you are seeing the "Authorization not allowed" failure. If you wish to enable OAuth flow for your application then you need to contact Square." @SquareConnectSupport: I have sent an email to Developer@Square, please let me know what else do I do.

(ii) Here is how I think it will work - the OAuth integration (Please confirm)

  • User types in browser say "mysnow.com/square"
    • The Handler at "mysnow.com/square" allows user to type in an ID this ID is local to mysnow
    • Then the Handler at "mysnow.com/square" directs the merchant to https://connect.squareup.com/oauth2/authorize along with my application id, permissions and redirect url.
    • The handler then receives a notification code with AuthZ Code at the redirect URL previously provided.
    • Next the handler obtains the Access token (using the AuthZ code)
    • Finally, the handler then saves the ID, the AuthZ code , the relevant Access Token and the date/time stamp (when the token was obtained) as a tuple in a safe data store.

(iii) Using the Access Token

  • When there is need to access merchant data of given ID, then use the ID to get the Access Token. Use this Access Token to manage the permitted data (based on permission)

  • Renew the access token periodically.

​(iv) For testing purposes, I create few test/dummy merchants?​ Or do you have dummy merchant accounts that I can use for testing.

Solution

  • You can authorize up to ten merchants through the OAuth flow without approval from Square, which should be enough to get your integration running and tested. If you would like to make it more broadly available, you will need to contact Square about getting the app in the Square App Marketplace.

    That looks essentially correct. The best practice for OAuth is something like this:

    1. Merchant visits your landing page (e.g. mysnow.com/square) and clicks an action to start using your square integration.
    2. Merchant's browser is redirected to the OAuth page (https://squareup.com/oauth2/authorize?client_id=YOUR_CLIENT_ID&scope=LIST_OF_OAUTH_SCOPES_YOU_NEED)
    3. Merchant authorizes your application to access their data and is redirected back to your site. In the URL is an authorization code
    4. Your backend makes an API call to Square to exchange the authorization code for an access token. It then uses that access token to look up information about the merchant and pre-populate fields of your signup form (e.g. you can get name, email, etc)
    5. With a partially populated signup form on your site, merchant is prompted to complete their registration with your service.

    There isn't really a way to create "dummy" merchants, but you can sign up for multiple merchant accounts with the same identity information, as long as you use a different email for each one. If you have GMail, you can do "[email protected]" and the mail will be redirected to "[email protected]", so you don't need to create a bunch of email accounts to have unique email addresses.