Hello. I am working on the integration of Square into my web application, consuming Square’s Oauth. I have never used Oauth 2.0 and I don’t know how to get back the web app’s user ID or email from the callback endpoint, as at that moment the user enters from outside (from Square auth screen). This is not the same than fetching the user’s (seller’s) account email, which could differ from the email the user registered in my application. I would like to know if and how I can do something like including a custom parameter (say, user email as a query parameter) in Square’s authorization endpoint (https://connect.squareup.com/oauth2/authorize) so that the parameter gets included by Square in the callback URL which redirects to my application.
I think I may be missing something obvious but I have never implemented Oauth, as I said. Thank you in advance.
PD: my web app is in Rails and I am using Square’s Ruby SDK.
With OAuth you won’t get back any seller email from the callback. Instead you’ll use the returned tokens to make API calls to our API to get the seller data. If you want the sellers email you’ll call the Team APIs SearchTeamMember and look for
is_owner equal to
Thank you Bryan. The thing is, in theory, I don’t want to bind authentication to Square’s Oauth as SSO (I mean, in my application, we decided to only use internal authentication with bare email and password, and maybe they have set up Square with another email account; the Seller’s email could mismatch with the internal user email in my application). At any given point, the user could choose to integrate with Square using Oauth.
I have seen some websites launch a “popup” window with the Oauth flow, and when completed, the window closes and the parent one refreshes, properly granting authorization from the external service. This would be perfect, since the parent window knows which user is authenticated and once the child window returns successfully, can bind Square’s Oauth token with the “internal” user in my app. So:
- Is this “popup” method reasonable? is it a good practice?
- Given this context, what would you recommend to avoid the scenario in which the user registered their account in our application with an email that differs from their email registered at Square?
If this is the approach you’d like to take you can definitely do so. If the Square email differs from the one they used to sign up on your application, you’ll need to manage the different emails in your database.
Okay Bryan, thanks for your time