Alipay+ DocsAlipay+ Docs

Unbind the user account

Alipay+ allows a user to unbind his/her account in the following two methods:

  • Unbind the account from the merchant side.
  • Initiate the account unbinding process from the Mobile Payment Provider (MPP) side.
    • If the merchant allows the user to unbind his/her account from the MPP side, the user can complete the account unbinding process at the MPP side.
    • Otherwise, the user is guided to the merchant side to complete account unbinding.

Note: AlipayCN allows users to unbind accounts from the MPP side directly, without consulting the merchant. After an account unbinding, Alipay+ uses the authNotify API to notify the ACQP of the unbinding.

Account unbinding is implemented by revoking the access token that is related to the specified authorization record. Once the access token is deactivated at the MPP side, the merchant cannot use the access token for any further interactions.

This topic shows you how an Acquiring Service Provider (ACQP) uses the Alipay+ APIs to process account unbinding in the two methods.

Unbinding from the merchant side

To unbind the account from the merchant side, the ACQP needs to take the following steps:

Workflow

The following figure illustrates the account unbinding workflow that is initiated from the merchant side:

UnbindFromMerchant.png

Figure 1. Workflow of account unbinding from the merchant side

The account unbinding workflow contains the following steps:

  1. A user initiates the account unbinding process from the merchant side. (Step 1)
  2. The merchant initiates an account unbinding request to the ACQP. (Step 2)
  3. The ACQP calls the cancelToken API to revoke the specified access token. (Step 3).
  4. Alipay+ interacts with the MPP to deactivate the access token, and returns the processing result. (Step 4-6)
  5. Alipay+ calls the authNotify API to notify the ACQP of the token cancelation result. The ACQP acknowledges the notification and syncs the same information with the merchant. (Step 7-8)
  6. The merchant processes the unbinding logic and displays the unbinding result.

Step 1: Use cancelToken to revoke the access token

After receiving the account unbinding request from the merchant, the ACQP needs to call the cancelToken API from Alipay+ to apply to revoke the specified access token.

Processing logic

  • The following list provides the key information that the ACQP needs to take into consideration when configuring the request parameters of the cancelToken API:
    • accessToken: specifies the access token that is to be revoked. The ACQP needs to retrieve the specified access token from the account unbinding request sent by the merchant.
    • authClientId: specifies the unique identifier for the auth client. Normally it refers to the merchant.
  • If the value of the result.resultStatus parameter is S, the authorization of the user account is successfully revoked, which means the access token cannot be used to access the user's resources, and the related refresh token cannot be used to retrieve a new access token.
  • In addition, when the following two result codes are returned, the revoke of the access token can be regarded as a success conditionally:
    • INVALID_TOKEN: when this result code is returned, the ACQP needs to check whether the access token is indeed valid and obtained from Alipay+, and if yes, the revoke of the access token can be regarded as a success.
    • EXPIRED_ACCESS_TOKEN: when this result code is returned, the revoke of the access token can be regarded as a success.

Sample

The ACQP sends a cancelToken request to Alipay+.

copy
{
  "authClientId":"123456",
  "accessToken":"asdfghjklasdfghjklasdfghjkl"
}

Alipay+ returns a response to the ACQP.

copy
{
  "acquirerId":"123456",
  "pspId":"123456",
  "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "Success",
        "resultStatus": "S"
    }
}

For more information about how to send the cancelToken request and handle the response, see cancelToken.

Step 2: Process the authorization notification

After the access token was revoked, Alipay+ calls the authNotify API to send the authorization notification to the ACQP, which then notifies the merchant of the same information.

For more information about how to handle the authNotify request and return a response, see Receive authorization notification.

Unbinding from the MPP side

To unbind the account from the MPP side, the ACQP needs to take the following steps:

Workflow

The following figure illustrates the account unbinding workflow that is initiated from the MPP side:

unbindingConsult.png

Figure 2. Workflow of account unbinding from the wallet side

The account unbinding workflow contains the following steps:

  1. A user initiates the account unbinding process by clicking an existing authorization record in the Alipay+ supported wallet, which then initiates an unbinding consultation request to Alipay+. (Step 1-2)
  2. Alipay+ consults with the ACQP about whether the merchant allows the access token to be revoked from the MPP side by calling the consultUnbinding API and returns the unbinding consultation result to the MPP. (Step 3-8)
  3. After receiving the unbinding consultation result, the MPP proceeds with the account unbinding process.
    • If the merchant does not allow the access token to be revoked from the MPP side, the user is guided to the merchant side to initiate the unbinding process.
    • If the merchant allows the access token to be revoked from the MPP side, the MPP deactivates the access token in the wallet and sends a notification to Alipay+ afterward. (Step 12)
  1. Once the access token is revoked at the MPP side, the ACQP receives the authorization notification from the MPP via Alipay+, acknowledges the notification, and notifies the merchant of the same information. (Step 15-18)

Note: AlipayCN allows users to unbind accounts from the MPP side directly, without consulting the merchant. After an account unbinding, Alipay+ uses the authNotify API to notify the ACQP of the unbinding.

Step 1: Consult about account unbinding

The ACQP needs to accept the request of the consultUnbinding API from Alipay+, collect the required information from the merchant, and then return whether the merchant allows the user account to be unbound from the MPP side.

Processing logic

  • The following list provides the key information that the ACQP needs to take into consideration when handling the request parameters of the consultUnbinding API:
    • authClientId: specifies the unique identifier for the auth client. Here it refers to the merchant.
    • accessToken: specifies the access token that is to be revoked, which is also the one that has been issued to the merchant during the account binding process.
  • The following list provides the key information that the ACQP needs to take into consideration when configuring the response parameters of the consultUnbinding API:
    • result: indicates the API call result. For example, if the consultUnbinding API call has been processed successfully, the result.resultStatus parameter is specified as S.
    • allowUnbinding: specifies a Boolean value that indicates whether the auth client (merchant) allows the access token to be revoked from the MPP side.
      • true: the merchant allows the access token to be revoked from the MPP side.
      • false: the merchant does not allow the access token to be revoked from the MPP side.
    • refuseReason: specifies the reason why the account binding is rejected.

Note: The merchant or the ACQP needs to evaluate the binding details in the system to decide whether the user account can be unbound from the MPP side. In the following cases, the user account cannot be unbound from the MPP side:

  • An unpaid transaction exists.
  • An ongoing transaction might need payment processing very soon.
  • Other possible factors might bring the merchant or the ACQP issues for further processing if the user account was unbound.

Sample

Alipay+ sends a consultUnbinding request to the ACQP.

copy
{
  "authClientId": "218882112121**",
  "referenceMerchantId": "218882112121**",
  "accessToken": "2810120412122ojsalksa***",
  "acquirerId":"10221880000000****",
  "pspId":"10220880000000****"
}

The ACQP sends a response to Alipay+.

copy
{
  "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "Success",
        "resultStatus": "S"
    },
  "allowUnbinding":"false",
  "refuseReason":"User has unpaid order."
}

For more information about how to handle the consultUnbinding request and return a response, see consultUnbinding.

Step 2: Process the authorization notification

If the merchant allows the user account to be unbound from the MPP side, after the access token is revoked at the wallet side, Alipay+ calls the authNotify API to send the authorization notification to the ACQP, which then notifies the merchant of the same information.

Note: AlipayCN allows users to unbind accounts from the MPP side directly, without consulting the merchant. After an account unbinding, Alipay+ uses the authNotify API to notify the ACQP of the unbinding.

For more information about how to handle the authNotify request and return a response, see Receive authorization notification.