Account unbinding

Alipay+ allows a user to unbind his/her account in the following two methods:

Unbind the account from the merchant side.
Initiate the account unbinding process from the Mobile Payment Provider (wallet) side.

If the merchant allows the user to unbind his/her account from the wallet side, the user can complete the account unbinding process at the wallet side.
Otherwise, the user is guided to the merchant side to complete account unbinding.

Note: AlipayCN allows users to unbind accounts from the wallet side directly, without consulting the merchant. After an account unbinding, Alipay+ uses the authNotify interface to notify the Acquiring Service Provider of the unbinding.

Account unbinding is implemented by revoking the access token that is related to the specified authorization record. Once the access token is deactivated at the wallet side, the merchant cannot use the access token for any further interactions.

This topic shows you how an Acquiring Service Provider uses the Alipay+ interfaces to process account unbinding in the two methods.

Unbinding from the merchant side

Workflow

The following figure illustrates the account unbinding workflow that is initiated from the merchant side:

Figure 1. Workflow of account unbinding from the merchant side

The account unbinding workflow contains the following steps:

A user initiates the account unbinding process from the merchant side. (Step 1)
The merchant initiates an account unbinding request to the Acquiring Service Provider. (Step 2)
The Acquiring Service Provider calls the cancelToken interface to revoke the specified access token. (Step 3).
Alipay+ interacts with the Mobile Payment Provider to deactivate the access token, and returns the processing result. (Step 4-6)
Alipay+ calls the authNotify interface to notify the Acquiring Service Provider of the token cancelation result. The Acquiring Service Provider acknowledges the notification and syncs the same information with the merchant. (Step 7-8)
The merchant processes the unbinding logic and displays the unbinding result.

Acquiring Service Provider actions

The following section describes the actions that the Acquiring Service Provider needs to perform during the account unbinding process that is initiated from the merchant side.

1. Use cancelToken to revoke the access token

After receiving the account unbinding request from the merchant, the Acquiring Service Provider needs to call the cancelToken interface from Alipay+ to apply to revoke the specified access token.

Processing logic

The following list provides the key information that the Acquiring Service Provider needs to take into consideration when configuring the request parameters of the cancelToken interface:

accessToken: specifies the access token that is to be revoked. The Acquiring Service Provider needs to retrieve the specified access token from the account unbinding request sent by the merchant.
authClientId: specifies the unique identifier for the auth client. Normally it refers to the merchant.

If the value of the result.resultStatus parameter is S, the authorization of the user account is successfully revoked, which means the access token cannot be used to access the user's resources, and the related refresh token cannot be used to retrieve a new access token.
In addition, when the following two result codes are returned, the revoke of the access token can be regarded as a success conditionally:

INVALID_TOKEN: when this result code returns, the Acquiring Service Provider needs to check whether the access token is indeed valid and obtained from Alipay+, and if yes, the revoke of the access token can be regarded as a success.
EXPIRED_ACCESS_TOKEN: when this result code returns, the revoke of the access token can be regarded as a success.

Sample

The Acquiring Service Provider sends a cancelToken request to Alipay+.

copy
{
  "authClientId":"123456",
  "accessToken":"asdfghjklasdfghjklasdfghjkl"
}

Alipay+ returns a response to the Acquiring Service Provider.

copy
{
  "acquirerId":"123456",
  "pspId":"123456",
  "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "Success",
        "resultStatus": "S"
    }
}

More Information

For more information about how to send the cancelToken API request and handle the response, see cancelToken.

2. Process the authorization notification

After the access token was revoked, Alipay+ calls the authNotify interface to send the authorization notification to the Acquiring Service Provider, which then notifies the merchant of the same information.

Processing logic

The following list provides the key information that the Acquiring Service Provider needs to take into consideration when handling the request parameters of the authNotify interface:

authorizationNotifyType: the value is set to TOKEN_CANCELED to indicate the access token in the request has been deactivated by the Mobile Payment Provider. The merchant cannot use the access token for any further interactions.
accessToken: specifies the access token that needs to be revoked.
tokenCancelSource: specifies the source of the unbinding. The value is set to ACQUIRER to indicate that the account unbinding process is initiate from the merchant side.

After the Acquiring Service Provider successfully handles the notification request, the Acquiring Service Provider needs to return a response to Alipay+. Alipay+ provides a notification retry mechanism if the result.resultCode parameter in the notification response returned from the Acquiring Service Provider is not S. For more information about how to handle the notification, see Handle notification.

The Acquiring Service Provider also needs to sync the notification with the merchant.

Sample

copy
{
    "authorizationNotifyType": "TOKEN_CANCELED",
    "authClientId": "218xxxxxxxxx1234",
    "referenceMerchantId": "218823863726*********",
    "accessToken": "663xxxxxxxxxxxxxxxxxxxxxxxxx9DC7",
    "tokenCancelSource": "ACQUIRER",
    "acquirerId": "102xxxxxxxxxxxx0001",
    "pspId":"102xxxxxxxxxxxx0001"
}

copy
{
    "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "Success",
        "resultStatus": "S"
    }
}

More Information

For more information about how to handle the authNotify API request and return a response, see authNotify.

Unbinding from the wallet side

Workflow

The following figure illustrates the account unbinding workflow that is initiated from the wallet side:

Figure 2. Workflow of account unbinding from the wallet side

The account unbinding worklfow contains the following steps:

A user initiates the account unbinding process by clicking an existing authorization record in the Alipay+ supported wallet, which then intiates an unbinding consultation result to Alipay+. (Step 1-2)
Alipay+ consults with the Acquiring Service Provider about whether the merchant allows the access token to be revoked from the wallet side by calling the consultUnbinding interface and returns the unbinding consultation result. (Step 3-8)

After receiving the unbinding consultation result, the Mobile Payment Provider proceeds with account unbinding process.

If the merchant does not allow the access token to be revoked from the wallet side, the user is guided to the merchant side to initiate the unbinding process.
If the merchant allows the access token to be revoked from the wallet side, the Mobile Payment Provider deactivates the access token in the wallet and sends a notification to Alipay+ afterward. (Step 12)

Once the access token is revoked at the wallet side, the Acquiring Service Provider receives the authorization notification from the Mobile Payment Provider via Alipay+, acknowledges the notification, and notifies the merchant of the same information. (Step 15-18)

Note: AlipayCN allows users to unbind accounts from the wallet side directly, without consulting the merchant. After an account unbinding, Alipay+ uses the authNotify interface to notify the Acquiring Service Provider of the unbinding.

Acquiring Service Provider actions

The following section describes the actions that the Acquiring Service Provider needs to perform during the account unbinding process that is initiated from the wallet side.

1. Consult about account unbinding

The Acquiring Service Provider needs to accept the request of the consultUnbinding interface from Alipay+, collect the required information from the merchant, and then return whether the merchant allows the user account to be unbound from the wallet side.

Processing logic

The following list provides the key information that the Acquiring Service Provider needs to take into consideration when handling the request parameters of the consultUnbinding interface:

authClientId: specifies the unique identifier for the auth client. Here it refers to the merchant.
accessToken: specifies the access token that is to be revoked, which is also the one that has been issued to the merchant during the account binding process.

The following list provides the key information that the Acquiring Service Provider needs to take into consideration when configuring the response parameters of the consultUnbinding interface:

result: indicates the API call result. For example, if the consultUnbinding API call has been processed successfully, the result.resultStatus parameter is specified as S.
allowUnbinding: specifies a Boolean value that indicates whether the auth client (merchant) allows the access token to be revoked from the wallet side.

true: the merchant allows the access token to be revoked from the wallet side.
false: the merchant does not allow the access token to be revoked from the wallet side.

refuseReason: specifies the reason why the account binding is rejected.

Note: The merchant or the Acquiring Service Provider needs to evaluate the binding details in the system to decide whether the user account can be unbound from the wallet side. For example:
Is there any unpaid transaction?
Is there any ongoing transaction that might need payment processing very soon?
Any other possible factors that might bring the merchant or the Acquiring Service Provider issues for further processing if the user account was unbound?

Sample

Alipay+ sends a consultUnbinding request to the Acquiring Service Provider.

copy
{
  "authClientId": "218882112121**",
  "referenceMerchantId": "218882112121**",
  "accessToken": "2810120412122ojsalksa***",
  "acquirerId":"10221880000000****",
  "pspId":"10220880000000****"
}

The Acquiring Service Provider sends a response to Alipay+.

copy
{
  "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "Success",
        "resultStatus": "S"
    },
  "allowUnbinding":"false",
  "refuseReason":"User has unpaid order."
}

More Information

For more information about how to handle the consultUnbinding API request and return a response, see consultUnbinding.

2. Process the authorization notification

If the merchant allows the user account to be unbound from the wallet side, after the access token is revoked at the wallet side, Alipay+ calls the authNotify interface to send the authorization notification to the Acquiring Service Provider, which then notifies the merchant of the same information.

Note: AlipayCN allows users to unbind accounts from the wallet side directly, without consulting the merchant. After an account unbinding, Alipay+ uses the authNotify interface to notify the Acquiring Service Provider of the unbinding.

Processing logic

The following list provides the key information that the Acquiring Service Provider needs to take into consideration when handling the request parameters of the authNotify interface:

authorizationNotifyType: the value is set to TOKEN_CANCELED to indicate the access token in the request has been deactivated by the Mobile Payment Provider. The merchant cannot use the access token for any further interactions.
accessToken: specifies the access token that needs to be revoked.
tokenCancelSource: specifies the source of the unbinding. The value is set to PSP to indicate that the account unbinding process is initiate from the Mobile Payment Provider (wallet) side.

After the Acquiring Service Provider successfully handles the notification request, the Acquiring Service Provider needs to return a response to Alipay+. Alipay+ provides a notification retry mechanism if the result.resultCode parameter in the notification response returned from the Acquiring Service Provider is not S. For more information about how to handle the notification, see Handle notification.

The Acquiring Service Provider also needs to sync the notification with the merchant.

Sample

Alipay+ sends an authNotify request to the Acquiring Service Provider.

copy
{
    "authorizationNotifyType": "TOKEN_CANCELED",
    "authClientId": "218xxxxxxxxx1234",
    "referenceMerchantId": "218823863726*********",
    "accessToken": "663xxxxxxxxxxxxxxxxxxxxxxxxx9DC7",
    "tokenCancelSource": "PSP",
    "acquirerId": "102xxxxxxxxxxxx0001",
    "pspId":"102xxxxxxxxxxxx0001"
}

The Acquiring Service Provider returns a response to Alipay+.

copy
{
    "result": {
        "resultCode": "SUCCESS",
        "resultMessage": "Success",
        "resultStatus": "S"
    }
}

More Information

For more information about how to handle the authNotify API request and return a response, see authNotify.