Shop Pay Wallet authorization

OAuth 2.0 clients using authorization code grant can use the Proof Key for Code Exchange (PKCE) extension for OAuth RFC7636 to add an additional layer of security.

The PKCE extension works as follows:

1. At the start of the authorization flow, the client picks a code verifier value. This can be any value.

2. During the authorization request, the client provides the authorization server with a code challenge derived from the code verifier. The code challenge must be SHA-256.

3. During the access token request, the client provides the authorization server with the code verifier.

4. The authorization server verifies that the code challenge matches the code verifier before issuing an access token.

RFC 8252 section 8.12 explains the requirement for having an authentication-specific webview for OAuth inside native apps. Using this webview provides added security guarantees from the OS, and can provide a simpler login experience by reusing Shop Pay credentials obtained from the web.

We recommend that you use the AppAuth library (https://appauth.io/) hosted in the OpenID github organization. It provides audited implementations for iOS and Android. If you do not want to use this library, then you must implement authorization using the most secure frameworks available.

Apple’s current API for authentication is ASWebAuthenticationSession (article). It's been supported since iOS 12 (2018). The previous version of this API was SFAuthenticationSession.

Android Custom Tabs is the best API provided by Android for creating authentication webviews. The header can optionally be themed, and we suggest using the Shop Pay primary color #5a31f4 with white text.

For desktop or mobile web, we recommend that you use a browser pop-up to handle the authorization flow. The client can control the lifetime of the pop-up and dismiss it after it has obtained the authorization code.

• Getting started
• Shop Pay Wallet reference
• Testing the integration
• Shop Pay Wallet ecosystem