0

I have a small issue right now where I am trying to integrate Google wallet with my project which has many users which will all have access to using this gateway and accepting payments.

The only issue I cannot seem to over come or figure out how to get around is how am I supposed to know which sellers secret key to use for the encoded JWT I receive from the postback?

Since I cannot access the the data inside the JWT obviously without decoding it first?

Thanks to anyone who can help me brainstorm about trying to work around this.

------UPDATE------ By the looks of what I have here, could I use the success or failure call back handlers to associate my users with the encoded JWT and then then compare the JWT to a database and call the corosponding users data to decode the JWT?

Sam Buckingham
  • 1,771
  • 2
  • 13
  • 16

1 Answers1

0

You can use either

  • aud
  • sellerData

from Google's postback and obtain the Seller Id...

So something like:

  1. Base64url decode JWT to get the Seller Id from either aud or sellerData
  2. do your lookup for stored seller secret
  3. verify the JWT

Hth....

EdSF
  • 11,753
  • 6
  • 42
  • 83
  • The postback is simply the JWT encoded still so that would not work, you have to get the success handler from the jquery to post to a url a id to be able to pull the data required from the database and decode the JWT to be able to access the data. After digging through the post data i noticed this. – Sam Buckingham May 07 '14 at 17:34
  • @SamBuckingham I'm probably missing something in your question...you need to (aren't you?) verify the JWT postback before it gets to your (client side) handlers. – EdSF May 07 '14 at 18:05
  • No you dont need to verify it on the client side you verify it on the server side actually, but you use the client side data to verify the server side. – Sam Buckingham May 07 '14 at 19:01
  • @SamBuckingham That's what I'm referring to - the _first_ verification happens _server side_ (the `postback` from Google). Depending on how this goes (server side), either your _success_ or _failure_ callbacks are called. The final step, which is an additional check/verification, then goes from client -> server (at which point you have a `Google Order Id`). Does this help/clarify? – EdSF May 07 '14 at 19:22