Skip to content
This repository has been archived by the owner on Dec 8, 2023. It is now read-only.

Commit

Permalink
Update checklist to include where to send it (#284)
Browse files Browse the repository at this point in the history
  • Loading branch information
rebekaburnett authored Nov 9, 2023
1 parent 72e07fd commit 4c5ca8f
Showing 1 changed file with 20 additions and 13 deletions.
33 changes: 20 additions & 13 deletions login-api-checklist.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,24 +24,31 @@ Integrate the [API endpoints](https://developer.vippsmobilepay.com/api/login/#ta
| The OAuth 2.0 token endpoint | [`POST:/access-management-1.0/access/oauth2/token`](https://developer.vippsmobilepay.com/api/login/#tag/Login-API/operation/oauth2Token) |
| JSON Web Keys Discovery | [`GET:/access-management-1.0/access/.well-known/jwks.json`](https://developer.vippsmobilepay.com/api/login/#tag/Login-API/operation/wellKnown) |

When the checklist is completed, notify Vipps MobilePay Integration Service
at [developer@vippsmobilepay.com](mailto:developer@vippsmobilepay.com).
Include examples from the test environment, pilot customer info, and a description of the implemented solution.

We will verify the integration and contact you.
After the checklist is approved, we'll send you the information you need to get started.

## Integration considerations

| Action | Comment |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Use correct flow | Native app integrations use the [app-to-app flow](api-guide/overview.md#app-to-app-flow). [Merchant initiated login](api-guide/overview.md#merchant-initiated-login) must *not* be used for web-based login. |
| Do not use embedded iFrames | Integration with the Login API is redirect-based (i.e., do not use an embedded iFrame). |
| Set company name and logo | The sales unit name appears on the Vipps MobilePay landing page. Both the name and logo appear in the Vipps or MobilePay app under *Personal information* > *Companies with access*. See [how to change name and logo](login-api-faq.md#how-can-i-change-my-name-and-logo). |
| Action | Comment |
|--------|---------|
| Use correct flow | Native app integrations use the [app-to-app flow](api-guide/overview.md#app-to-app-flow). [Merchant initiated login](api-guide/overview.md#merchant-initiated-login) must *not* be used for web-based login. |
| Do not use embedded iFrames | Integration with the Login API is redirect-based (i.e., do not use an embedded iFrame). |
| Set company name and logo | The sales unit name appears on the Vipps MobilePay landing page. Both the name and logo appear in the Vipps or MobilePay app under *Personal information* > *Companies with access*. See [how to change name and logo](login-api-faq.md#how-can-i-change-my-name-and-logo). |
| Whitelist redirect URIs | Ensure that all `redirect_uri`s for your integration have been added to the merchant portal white list. See the [FAQ](login-api-faq.md#how-can-i-activate-and-set-up-vipps-login) for how to do this. Ensure that all URLs use `HTTPS` or native URL schemes (i.e., `vipps://`), not `HTTP`. ALL URLs must match the exact URI sent on `/auth` request. No query parameters or additional trailing `/` can be included. |
| Use only required scopes | Request only the scopes that you require, no "nice to have" scopes. If using national identity number, you must be granted access to request these scopes. See [FAQ](login-api-faq.md#who-can-get-access-to-nin-and-how) for details. |
| Use only required scopes | Request only the scopes that you require, no "nice to have" scopes. If using national identity number, you must be granted access to request these scopes. See [FAQ](login-api-faq.md#who-can-get-access-to-nin-and-how) for details. |
| Comply with our terms and conditions | If you, as a merchant, will act on behalf of others (share data you have gotten from us with other merchants), ensure that you comply with our terms and conditions to do this. This is shown in section 8.4 in our [terms and conditions for merchants](api-guide/overview.md#vipps-login-from-phone-number). |
| Present terms and conditions | Terms and conditions are presented to the user, and the necessary consents are collected from the user (i.e., consent to marketing purposes, etc.). |
| Present terms and conditions | Terms and conditions are presented to the user, and the necessary consents are collected from the user (i.e., consent to marketing purposes, etc.). |

## Security

| Action | Comment |
|--------|---------|
| Generate a `state` parameter | Ensure that a unique [`state` parameter](login-api-faq.md#whats-the-purpose-of-the-state-parameter) is generated for each `/auth` request. |
| Do not share `client_secret` | Ensure that the `client_secret` is kept secret and is never be shared to browsers or native apps. |
| Generate a `state` parameter | Ensure that a unique [`state` parameter](login-api-faq.md#whats-the-purpose-of-the-state-parameter) is generated for each `/auth` request. |
| Do not share `client_secret` | Ensure that the `client_secret` is kept secret and is never be shared to browsers or native apps. |

## Quality assurance

Expand All @@ -54,7 +61,7 @@ Integrate the [API endpoints](https://developer.vippsmobilepay.com/api/login/#ta

## Avoid integration pitfalls

| Action | Comment |
|--------|-----------|
| Follow design guidelines| The branding must be according to the [Design guidelines](https://developer.vippsmobilepay.com/docs/design-guidelines).|
| Educate customer support| Make sure your customer service, etc. has all the tools and information they need available in *your* system, through the APIs listed in the first item in this checklist, and that they do not need to visit [portal.vipps.no](https://portal.vipps.no) for normal work.|
| Action | Comment |
|--------------------------|-----------|
| Follow design guidelines | The branding must be according to the [Design guidelines](https://developer.vippsmobilepay.com/docs/design-guidelines).|
| Educate customer support | Make sure your customer service, etc. has all the tools and information they need available in *your* system, through the APIs listed in the first item in this checklist, and that they do not need to visit [portal.vipps.no](https://portal.vipps.no) for normal work.|

0 comments on commit 4c5ca8f

Please sign in to comment.