Adyen:当用户从 iDEAL 重定向回我的 Web 应用程序时,如何在我的回调方法中验证 iDEAL 负载?

Adyen: How do I verify the iDEAL payload in my callback method when an user is redirected back from iDEAL to my web application?

我正在尝试将带有 iDEAL 的 Adyen 作为我正在构建的网络应用程序中的一种支付方式。当用户选择 iDEAL 作为首选付款方式时,他将被重定向到 iDEAL 环境以完成付款过程,我提供了一个重定向 URL,用户在 he/she 完成或取消付款后被重定向到该重定向。使用以下参数调用回调方法:

string payload, 
string type, 
PaymentResultResponse.ResultCodeEnum resultCode

Adyen 文档指出我需要验证传入的负载,它是一个 HMAC 签名。

https://docs.adyen.com/payment-methods/ideal#integrate-with-api(第 4 步)

When the shopper has completed the payment they return back to your website or app using the returnUrl you provided when you made the /payments request. This URL is appended with a payload query parameter which you will use to verify the payment result. If any other parameters are appended, ignore them.

我似乎无法找到用于构建此有效载荷的数据,因此我不知道如何生成预期的签名来测试传入的有效载荷。

刚收到 Adyen 支持的回复:

Anonymous (Adyen Support) Aug 20, 11:48 CEST
Hi Jop,

When the shopper returns to your website after an iDeal payment, the payload is appended to the result URL.

You will then need to verify the payload that you received in a /payment/details call (Step 6). In the response you will receive the result of the transaction. In addition we can send you a asynchronous notification with the result of the payment (in case the shopper already closed their browser before the redirect takes place).

There is no need to verify the payload with a HMAC-key. Let me know if you have more questions.

Kind regards,

Anonymous

Technical Support Engineer

为了让未来的人更明确的步骤:

处理重定向

您会将您的用户重定向到 adyen endpoint returned in the /payments response. Once the shopper completes the payment, they are redirected back to the returnUrl specified in the original /payments 请求。

他们将被发送到那个 url,带有 payloadresultCodetype

  • payload是支付结果对象的加密blob。您将发送另一个调用来解密此 blob 并查看该重定向的付款结果。
  • resultCode就是当时那个支付的结果。尽管此重定向没有任何验证,因此您不应使用此值执行任何业务逻辑,而应使用负载或结果通知。
  • type 是已弃用的字段。不再使用可以忽略。

示例 return url,出于示例目的,有效负载被缩写为:

https://example-site.com/handleRedirect?payload=AAd24...f511%3D%3D&type=complete&resultCode=authorised

验证重定向

payload 提交给 /payments/details 以解密有效负载 blob,并找到截至重定向 时的支付结果 /payments/details 调用 不会查询付款状态 但会告诉您负载中包含的响应。

此步骤是必需的,因为重定向发生在客户端 space 并且您始终需要考虑恶意第三方。用户可以在查询参数中操作 resultCode,但有效负载对象不能被篡改而不会导致错误。

包括在初始 /payments 调用中 return 编辑的 paymentData

curl https://checkout-test.adyen.com/v49/payments/details \
-H "x-API-key: YOUR_X-API-KEY" \
-H "content-type: application/json" \
-d '{
  "paymentData": "Ab00!B...QABAgAuj", //abbreviated for example purposes.
  "details":{
    "payload":"AAd24...f511=="
  }
}'

响应将为您提供重定向时的付款结果:

{
  "resultCode":"AUTHORISED",
  "pspReference":"888239265347586D",
  ... //Other payment result data
}

有时 IDEAL 不会立即导致 AUTHORISED,而是 PENDING 状态。这意味着付款结果尚未可知,但您需要等待 notification 才能知道付款的最终结果。