Re: Payment Initiation - platform integration from Adrian Hope-Bailie on 2015-09-16 (public-webpayments@w3.org from September 2015)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Wed, 16 Sep 2015 20:40:25 +0200
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>, Web Payments CG <public-webpayments@w3.org>
Message-ID: <CA+eFz_KvZHDnyJbaX=TSVf0iKk9VySr-v8VHogLTnQLc5Y7kfA@mail.gmail.com>

On 16 September 2015 at 17:29, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2015-09-16 17:18, Adrian Hope-Bailie wrote:
> <snip>
>
>     The security model required by Web wallets won't permit payment
>> instrument
>>     enumeration so they have rather different characteristics compared to
>> any
>>     form of local wallet.
>>
>>
>> I'm not sure I understand this statement. I see no issue with a message
>>
> > object being POST'ed to a Web wallet's API endpoint?
>
> I guess you haven't tested my Wallet PoC?

I have but that is not a Web wallet by your definition IIRC?

> Anyway, a local wallet can without
> security issues enumerate payment instruments/cards since the user is
> assumed
> to be authenticated to the device.
>

I'm still unsure what you mean by "enumerate payment instruments"?

>
> There's no similar function for Web wallets today, you must be
> authenticated
> to see what's inside which makes them less interoperable with other
> wallets.
>
>
I disagree.

Here's one example of how this could work. I'm sure there will be other
suggestions

The payment initiation message contains information from the payee along
the lines of "these are the ways you can pay me and this is what you need
to pay". It is sent by the merchant website to the browser's payment API.

If the browser is configured to use a Web-wallet it can POST that message
to the Web-wallet API endpoint using whatever existing session
information/cookies etc exist for the origin of the Web-wallet API.

Let's assume that there is no existing session. The browser gets back a 403
(or whatever response we define as appropriate in the recommendation) with
the necessary information to open a new window (pop-up or otherwise) at the
appropriate URL to authenticate the user and complete the payment
initiation process. Upon completion the wallet is expected to call some
browser API with the payment initiation response that will be forwarded
back to the original calling website.

The recommended behavior for the browser is to close the wallet UI window
(effectively a dialogue) and return the user focus back to the merchant
website where the response is being returned and the flow continues under
the control of that website.

> Anders
>

Received on Wednesday, 16 September 2015 18:40:55 UTC