PayPal OpenId Connect沙盒元数据地址

Question

I'm trying to build a spike that uses Log In with PayPal in the sandbox. I'm using Microsoft.Owin.Security.OpenIdConnect based on this http://www.cloudidentity.com/blog/2014/07/24/protecting-an-asp-net-webforms-app-with-openid-connect-and-azure-ad/ for want of a better example.

public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {

                ClientId = "my test clientid",
                RedirectUri = "http://localhost:50625",
                Scope = "openid profile email address phone",
                Authority = "https://www.sandbox.paypal.com/signin/authorize",
                MetadataAddress = "https://www.paypalobjects.com/.well-known/openid-configuration"

            });

The problem is the MetadataAddress.

If I set the MetadataAddress to https://www.paypalobjects.com/.well-known/openid-configuration then the configuration is for live, and the authorisation URL I get sent to is

https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize?client_id=etc

which is not the sandbox and has never heard of my client id & throws an error. If I then press the back button, change the url to

https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize?client_id=etc

then it works.

But if I set the MetadataAddress to

http://www.sandbox.paypal.com/.well-known/openid-configuration

in the first place then

1. I get an error "The request was aborted: Could not create SSL/TLS secure channel."
2. That file at sandbox.paypal.com has the same config as the live file anyway.

What is the correct url for the .well-known/openid-configuration for the Log In with PayPal sandbox?

Answer 1

I found the answer I needed by using Owin.Security.Providers.PayPal from

https://github.com/TerribleDev/OwinOAuthProviders

It doesn't seem to use the .well-known/openid-configuration, but has the following end-points in it.

    private const string AuthorizationEndPoint = "https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize";
    private const string TokenEndpoint = "https://api.paypal.com/v1/identity/openidconnect/tokenservice";
    private const string UserInfoEndpoint = "https://api.paypal.com/v1/identity/openidconnect/userinfo/?schema=openid";

    private const string SandboxAuthorizationEndPoint = "https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize";
    private const string SandboxTokenEndpoint = "https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice";
    private const string SandboxUserInfoEndpoint = "https://api.sandbox.paypal.com/v1/identity/openidconnect/userinfo/?schema=openid";

I eventually manged to get login working with my sandbox account.

Notes for anyone else attempting the same thing:

Firstly, it's necessary to set

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

at some point because of The request was aborted: Could not create SSL/TLS secure channel sandbox account

Secondly, the Return URL you configure in the App Settings in PayPal needs to be the WHOLE callback URL (not just the domain name) that's generated, and it doesn't actually tell you anywhere what that's going to be... the default is

http://localhost[:$port]/signin-paypal