Request

  • Authentication requests are encrypted and signed using PGP or JWE+JWS and then encoded using web-safe base64.

  • The JSON payload of an authentication request contains a required requestId and an optional associationId.

  • The requestId uniquely identifies the request while the associationId, if present, links the Google account with the vendor's account for re-authentication purposes.

  • If associationId is provided, the Payment Integrator must ensure the authenticated account is linked to it or return a failure.

Object sent during authentication request.

Here's an example of a clear text JSON request:


{"requestId": "375dhjf9-Uydd="}

The AuthenticationRequest is encrypted and signed using PGP or JWE+JWS. Further, this value is web-safe base64 encoded. This encoding is referred to below as Base64UrlEncode. In other words, the clear text JSON version of the AuthenticationRequest must be passed through the following functions:

Base64UrlEncode(
  PGPSignAndEncrypt(
{"requestId": "375dhjf9-Uydd="}
  )
)

or

Base64UrlEncode(
  JWSignAndEncrypt(
{"requestId": "375dhjf9-Uydd="}
  )
)
JSON representation 
{
  "requestId": string,
  "associationId": string
}
Fields
requestId

string

REQUIRED: Identifier for this request.
associationId

string

OPTIONAL: The ID that represents the association between a customer's Google Account and a customer's account with the vendor. If this authentication flow is being used to re-authenticate a user that has already gone through an Association flow, this field identifies the specific account with the vendor that the user must authenticate. This allows to ensure that the user does not (e.g.) accidentally authenticate using some other account. If this field is provided, the Payment Integrator must ensure that that the account being authenticated is tied to this associationId, and otherwise must return a failure.