AI-generated Key Takeaways
-
Authentication requests are encrypted and signed using PGP or JWE+JWS and then encoded using web-safe base64.
-
The JSON payload of an authentication request contains a required
requestIdand an optionalassociationId. -
The
requestIduniquely identifies the request while theassociationId, if present, links the Google account with the vendor's account for re-authentication purposes. -
If
associationIdis provided, the Payment Integrator must ensure the authenticated account is linked to it or return a failure.
Object sent during authentication request.
Here's an example of a clear text JSON request:
{"requestId": "375dhjf9-Uydd="}
The AuthenticationRequest is encrypted and signed using PGP or JWE+JWS. Further, this value is web-safe base64 encoded. This encoding is referred to below as Base64UrlEncode. In other words, the clear text JSON version of the AuthenticationRequest must be passed through the following functions:
Base64UrlEncode(
PGPSignAndEncrypt(
{"requestId": "375dhjf9-Uydd="}
)
)
or
Base64UrlEncode(
JWSignAndEncrypt(
{"requestId": "375dhjf9-Uydd="}
)
)
| JSON representation |
|---|
{ "requestId": string, "associationId": string, "paymentIntegratorAccountId": string } |
| Fields | |
|---|---|
requestId |
REQUIRED: Identifier for this request. |
associationId |
OPTIONAL: The ID that represents the association between a customer's Google Account and a customer's account with the vendor. If this authentication flow is being used to re-authenticate a user that has already gone through an Association flow, this field identifies the specific account with the vendor that the user must authenticate. This allows to ensure that the user does not (e.g.) accidentally authenticate using some other account. If this field is provided, the Payment Integrator must ensure that that the account being authenticated is tied to this |
paymentIntegratorAccountId |
OPTIONAL: This is the payment integrator account identifier that identifies contractual constraints around this transaction. |