I make a WordPress e-commerce plugin. I want to add a Square payments option but take an application fee for the free users as a way to monetize the plugin. As such, my code is not on my own website but on the website owner’s site. As such, I do not want to include my own access token for connecting to the API in the code as a result.
I am not clear on how to make this all work. Do I ask the website owner to type in their Application ID and Access Token and connect via the website owner’s own account? If so, how does this translate back to my account for any application fees?
You’ll want to use OAuth to connect to other sellers accounts. Once the seller has authorized your application you’ll get a token and a refresh_token that your application will use to take action on the sellers behalf.
I have the OAuth stuff working using the code flow. It only returns a “code”. I assume that is the “token” you are referring to? It does not return a “refresh_token” when I use the code flow for OAuth - do I need to take more steps?
When I connect to the API, it sounds like I just use this returned “code” or “token” and that will allow the API to know that payments go into this customer’s account and the app fees go into mine?
Great, that token is what’s used in the ObtainToken call. The response of that call will have the token you’ll use to make API calls and the refresh_token.
I see that API requests requires an Application ID and Application Secret - so my users will need to manually copy/paste that info into settings? There isn’t a way to automatically get that info from the OAuth? Trying to reduce the amount of info a user has to manually look up for less confusion.
No, you’ll use your application ID and Application Secret. The sellers won’t need to provide you with any credentials with the OAuth flow. They’ll only be authorizing your app.
I’m trying to learn how to interact with the Square API from the WooCommerce Square plugin. Nowhere in their code do they make an ObtainTokenRequest so I am still trying to understand how with an OAuth connection alone you can get enough information to do everything that is needed like list locations and create payments. I do see that they make use of refresh_tokens but I am still not clear on how these work.
I am making a distributed WordPress plugin, I don’t think I want to include my own App ID and App Secret. The WooCommerce Square API does not have this information either.
Okay, then this isn’t going to be possible if it’s with the WooCommerce integration with Square. They OAuth the seller when they sign up. Getting access to credentials from their application isn’t possible. You’ll have to build a custom integration to collect app_fee_money.
For further clarity, I am not building on top of the WooCommerce Square plugin. I am making a wholly separate Square integration for a wholly separate e-commerce plugin. I am simply using their plugin as direction/inspiration for my code.
My OAuth sends people from their own WordPress admin to my website at www.sunshinephotocart.com, builds the OAuth URL, gets the response with “code”, forwards them back to their own WordPress website admin - just like the WooCommerce plugin does.
This is as far as I have got. I am trying to set up the same thing the WooCommerce Square plugin does which somehow at this point saves some encrypted token (I am not clear on what token it actually is from) and is able to make connections to the API to list locations or create payments. The difference I can see is that they do not use an application fee so I am not sure if I have to do to things differently as a result.
You pointed out that the “code” is then used for an ObtainTokenRequest but this requires an Application ID and Secret. Nowhere in the WooCommerce Square plugin does it make this request - how are they able to get around this? Is there a way to OAuth so you don’t need these two values?
I just realized they are making the ObtainTokenRequest on their own connect.woocommerce.com site instead of within the plugin and passing those back. I bet they are using their own app ID and secret here. Starting to all click.
That’s correct they OAuth every seller to their application. It’s not possible to get any of the tokens to take additional actions on the sellers account.
I might be confused here, but one option here might be to use the PKCE oAuth flow to avoid either (1) needing to include the app secret in your new plugin, or (2) needing to write your own proxy site eg connect.woocommerce.com. Assuming you’re starting your oAuth flow from the plugin, that is? PKCE is the goat. Checkout the forum post which has some great details missing from the doco.
The PKCE flow made absolutely no sense to me so I didn’t bother with it. The “code_challenge” made no sense on what it is, how you get it or make it, or what you ultimately do with it that makes this process different. So I stuck to the Code Flow.
I do start from within the user’s own WordPress website on my plugin settings page. Setting up my own proxy site is fine as I already do that for my Stripe connection integration as well.
I just read this post - OAuth now supports PKCE - and I think how the “code_challenge” works makes sense more now, but I already built it all yesterday with the code flow and it works.
Wanted to provide some clarity here. Both OAuth flows won’t work in this case. The ability to gain access to take actions on behalf of a sellers account through an application that is not your own is not possible. Sellers will need to authorize your specific application through OAuth for you to take action on their Square account.