I’m looking for some good documentation/examples on how to temporarily pass control to an external web application and have the host application receive a response. I’m implementing the external web application half of this communication.
Perhaps the best way to explain this question is through examples:
- StackExchange sends a user to Google to login
- An online store sends a user to Paypal to process payments
In both these cases, the host application sends the user to an external site to perform some task (login or payment), and the external site passes a response back.
I’m currently writing a web application that would be the external web application in these examples. I could come up with a design myself, but I’m wondering if there are established patterns or technologies that can be used.
My next step is to bite the bullet and RTFM (both Paypal and OpenID) to see how they implement it, but if anyone can point me in the right direction before then, I’d appreciate it.
Some other quick notes:
- The design should be as secure as possible. Ideally both the host and external app will have a means of authenticating each other as well as the end user.
- The design cannot rely on javascript and cannot involve iframes, as there are strict accessibility requirements.
don’t know if you will find it detailed enough, and in any case if you implement something related to financial transactions, you should take extra care.
Assume, for example, that some company which sells some goods online, say books,
on its site A (webapp A), wishes to implement payments using an external payment
site B (which is a webapp B run by some banking company).
The user fills a form with details of the books he wants to buy, and submits it.
He is then redirected to a HTTPS page of A where he is notified that he ordered
“Extreme programming” and “Agile programming” for 40$ total and asked whether
he confirms the purchase. User presses on “yes” button, thus submitting to A the
request Req1.
At this point, the webapp A contacts webapp B (this is Business to Business communication, no browsers involved!) via SSL (if in Java, use httpclient), and tells it: I want to redirect to your site a user who wishes to pay me 40$. B answeres: OK, here is a request id Id1 (something like R543E32pU878..). Now A, always in response to the confirmation of the user (Req1), sends a redirect to user’s browser to the external payment site B with this Id1 inside the redirect. B then exhibits to the user (via HTTPS) the data of the purchase and asks to enter user’s personal and credit card details. User enters them and presses “proceed” thus submitting the request Req2. B contacts (again, no browsers involved) the VISA/bank servers (via SSL), and, in case of success, gets a transaction id Id2.
Now, B contacts A (SSL, no browsers involved) and notifies it that the transaction was successful and communicates to A the transaction id, getting a confirmation from A that
it got the message. Finally, B responds to the user request Req2 (remember, the user still waits for a response to the submit of his personal and credit card details) with a redirect to the site A which includes the request id Id1. A then sends a page to the user where the user is notified that the transaction was successful and optionally visualizes the transaction id Id2, just in case.
I did not try to find out if there are some industry standards for such interactions; as far as I know different banking institutions implement such interactions in ways which are not totally identical.