Overview
The purpose of the Authentication flow is to identify and authenticate the user to the Payment Integrator (integrator).
Authentication is an input to other methods. Particularly for associateAccount
. This means that the proof of authentication is used as an input (parameter) to those two methods.
Google can also use the authentication flow in standalone mode to verify a user. In this case it is not used as an input to any other flow, but only to verify that a user is able to authenticate this identity.
Keep in mind that when you are onboarding, Google will work with you to choose the authentication mechanism that will best fit your product.
How the flow works
User authentication is facilitated with web or Android app redirects.
Redirect authentication
A Google user who needs authentication may be redirected to the integrator's app or their website to have their identity verified. Here is a brief overview of the steps in this flow:
- Google redirects the user to the integrator's web or Android app where they can be authenticated.
- To authenticate, the authentication
requestId
(fromAuthenticationRequest
) is used as proof of authentication. - This results in a signed response, called the
AuthenticationResponse
. - Afterwards, the app or website redirects the user back to Google.
The redirect authentication uses an HTTP GET method, with parameters encoded in the URL for a web application. It uses an Android Intent for an Android application authentication. For more details on encoding, see Web Authentication, and for Android intent parameters, see Android Authentication.
The result from each of these authentication mechanisms is a signed response called the AuthenticationResponse
. This intent should include the encrypted, encoded Google Standard Payments Authentication Response (gspAuthenticationResponse
) to communicate a successful authentication. If used in standalone mode, the gspResult
and signature are used to determine the successful authentication.
The following sequence diagram shows the interaction between the user's browser, Google, and the integrator's web application:
Redirect-Web authentication flow
Here is a list of the objects and what they represent:
- User: This is the person who wants to add a payment method to their Google Account.
- Google UI: In this case, the web interface at Google, where the customer begins to setup a payment method.
- Google Server: The backend server at Google that does the authentication check, along with other authentication tasks.
- Payment Integrator Web: The website of the integrator where the user has an account.
For this authentication flow, we already assume the user is on Google's website (Google UI) and is trying to add a payment method. Here is where everything starts.
- The Google UI creates an authentication URL which is sent to the Google Server (backend). This is what triggers the authentication process.
- The Google Server creates an authentication request (
AuthenticationRequest
). - The authentication request sent to the Google UI.
- The user receives the prompt that they need to authenticate their ID with the integrator.
- The user responds that they want to authenticate, which sends that message to the integrator's website.
- The Payment Integrator's website asks for verification of the user's identity.
- The user provides proof of their identity, which is sent to the Payment Integrator's website.
- The integrator creates a response (
authenticationResponse
) to the evidence they were given (with theauthenticationResponse
encoded in the message). - This response URL is sent to the user.
- The response URL is immediately sent from the user to the Google UI.
- The Google UI sends the response the Google Server.
- The Google Server interprets the response as verified.
The next sequence diagram shows the interaction between the user's phone, Google, and the integrator's Android application:
Redirect-Android app authentication flow
Here are the objects and what they represent:
- User: This is the person who wants to add a payment method to their Google Account.
- Google UI: In this case, the app interface, where the customer begins to setup a payment method.
- Google Server: The backend server at Google that does the authentication check, along with other authentication tasks.
- Payment Integrator APK: The integrator's app where the user has access to their integrator account.
- Payment Integrator Server: The backend server of the integrator where the user's information is stored.
Since this is an authentication flow, we already assume the user is using an app (Google UI) and is trying to add a payment method. This is where initialization begins.
- The Google UI creates an authentication call which is sent to the Google Server (backend).
- The Google Server create an authentication request (
AuthenticationRequest
). - The Google Server sends a call APK to the Google UI (app), requesting authentication.
- The Google UI sends the user information to the Payment Integrator APK (
AUTHENTICATE_V1(authReq)
). - The Payment Integrator APK sends the request (
authReq
) to the Payment Integrator's server. - The Payment Integrator Server sends a challenge back to the Payment Integrator APK.
- The Payment Integrator APK sends the challenge back to the user.
- The user provides proof of their identity, which is sent to the Payment Integrator APK.
- This proof is then sent to the Payment Integrator Server.
- The Server creates a signed
authenticationResponse
. - The authentication response is successful, and an
authResp
message is sent to the Payment Integrator APK. - The success message (
authResp
) is sent to from the Payment Integrator APK to the Google UI. - The Google UI sends the response to the Google Server.
- The Google Server interprets the successful response.
Best practices and other considerations
Choice of platforms
Providing a mobile app and desktop web authentication flow will allow the integrator to reach the most users. Google strongly recommends that integrators support the Android application as it provides the best user experience resulting in the highest conversion rate. The parameters passed in the authentication APIs for the web and Android applications are the same.