Unbind the user account
Alipay+ allows a user to revoke authorizations for auto debit payments by unbinding the Mobile Payment Provider (MPP) account in the following two methods:
- Unbind the MPP account from the merchant side.
- Initiate the account unbinding process from the MPP side.
- If the merchant allows the user to unbind the MPP account from the MPP side, the user can complete the account unbinding process at the MPP side.
- Otherwise, the user is guided to the merchant side to complete account unbinding.
Account unbinding is implemented by revoking the access token that is related to the specified authorization record. After the access token is revoked at the MPP side, the merchant cannot use the access token for any further interactions. This topic introduces the actions that you (the MPP) need to take to process account unbinding in the two methods.
Unbind from the merchant side
Workflow
The following figure illustrates the account unbinding workflow that is initiated from the merchant side:
Figure 1. Workflow of account unbinding from the merchant side
The account unbinding workflow contains the following steps:
- The merchant initiates an account unbinding request to the ACQP. (Step 1)
- The ACQP calls the cancelToken API to revoke the specified access token. (Step 2).
- Alipay+ calls the cancelToken API to revoke the specified access token. (Step 3).
- Alipay+ interacts with the MPP to deactivate the access token, and returns the processing result. (Step 4-7)
- Alipay+ calls the authNotify API to notify the ACQP of the token cancelation result. The ACQP acknowledges the notification and syncs the information with the merchant. (Step 8-9)
Step 1. Handle the cancelToken request to revoke the access token
After receiving the cancelToken API request from Alipay+, the MPP needs to handle the request and revoke the access token that is specified in the request.
Processing logic
When handling the cancelToken API request, ensure the following parameters are configured properly in the response:
- result.resultStatus:
- If the authorization is successfully revoked, the MPP needs to return a result.resultStatus of
S
. The access token cannot be used to access the user's resources, and the relative refresh token cannot be used to refresh the access token. - The request parameter accessToken is used for the idempotency control. If an authorization revocation request with a specific access token is processed successfully, the MPP needs to return a result.resultStatus of
S
for subsequent authorization revocation requests that are initiated with the same access token.
Sample
Alipay+ sends the request to the MPP.
{
"acquirerId": "102218800000001234",
"pspId": "102208800000001230",
"accessToken": "281010033AB2F588D14B43238637264FCA5A1234"
}
The MPP returns the result to Alipay+.
{
"result": {
"resultCode": "SUCCESS",
"resultStatus": "S",
"resultMessage": "Success"
}
}
More information
For more information about how to handle the cancelToken API request and return the response, see cancelToken.
Step 2. Notify Alipay+ of the unbinding result
After the access token is revoked at the MPP side, to ensure that unbinding result is synced with the ACQP side, the MPP needs to call the authNotify API to asynchronously notify Alipay+ of the unbinding result.
For more information about how to call the authNotify API, see Send authorization notification.
Unbind from the MPP side
Workflow
The following figure illustrates the account unbinding workflow that is initiated from the MPP side:
Figure 2. Workflow of account unbinding from the MPP side
The account unbinding workflow contains the following steps:
- A user initiates the account unbinding process by clicking an authorization record in the MPP client, for example, the wallet app. (Step 1)
- The MPP client initiates a consultation request about account unbinding. The MPP server then calls the consultUnbinding API to consult with Alipay+. Alipay+ then passes the request to the ACQP. (Step 2-4)
- The ACQP checks whether the merchant allows the corresponding access token to be revoked from the MPP side. The consultation result is then returned to the MPP client and cached in the MPP server. The consultation result contains the result.resultStatus and allowUnbinding parameters. (Step 5-8)
- If the merchant forbids the access token to be revoked from the MPP side, the MPP client hides the button for unbinding and guides the user to unbind the MPP account from the merchant side. (Step 9-10)
- Otherwise, the MPP client displays the button for unbinding. After the user clicks the button to confirm unbinding, the MPP server checks the cached consultation result and the expiration time of the access token. (Step 11-22)
- If the merchant forbids the access token to be revoked from the MPP side or the access token is expired, theMPP server syncs with the MPP client that the unbinding fails. The MPP client then displays the related information and guides the user to unbind the payment account from the merchant side.
- If the merchant allows the access token to be revoked from the MPP side and the access token is still valid, the MPP server completes account unbinding and syncs with the MPP client that the unbinding succeeds. Meanwhile, the MPP also calls the authNotify API to notify Alipay+ of the unbinding result, thus triggering the ACQP to complete the account unbinding.
Step 1. Consult about account unbinding
The MPP needs to call the cousultUnbinding API to consult Alipay+ whether the merchant allows the corresponding access token to be revoked from the MPP side.
Processing logic
When calling the cousultUnbinding API request, ensure the following parameters are configured properly in the request:
- result.resultStatus: If the value of result.resultStatus is
S
, this means that the consultation about unbinding succeeds. In this case, the MPP needs to further retrieve the value of the allowUnbinding parameter. - allowUnbinding:
- If the value of allowUnbinding is
false
, this means that the merchant does not allow the access token to be revoked from the MPP side. In this case, the MPP needs to take the following actions:
- Hide the button that is used for account unbinding, and guide the user to unbind the MPP account from the merchant side.
- Integrate the cancelToken API to revoke the access token. For more information, see Unbind from the merchant side.
- If the value of allowUnbinding is
true
, this means that the merchant allows the access token to be revoked from the MPP side. In this case, the MPP needs to take the following actions:
- On the Authorization detail page, display the button that is used for account unbinding. It is recommended that the MPP client pop up a service cancellation dialog for users to confirm unbinding after the button is clicked.
- Cache the consultation result in the MPP server so that the MPP client can recheck when users click the button to confirm unbinding. It is recommended that the MPP set the cache duration to 30 minutes. When the cache duration expires, the MPP needs to guide the user to refresh or reopen the Authorization detail page and reinitiate the account unbinding process.
Sample
The MPP sends a request to Alipay+.
{
"authClientId": "21888211212100",
"referenceMerchantId": "21888211212101",
"accessToken": "2810120412122ojsalksa000"
}
Alipay+ returns a response to the MPP.
{
"result": {
"resultCode": "SUCCESS",
"resultStatus": "S",
"resultMessage": "success"
},
"acquirerId": "1020000000000000001",
"pspId": "1020000000000000002",
"allowUnbinding": "false",
"refuseReason": "merchant not allow unbinding"
}
More information
For more information about how to send the consultUnbinding API request and handle the response, see consultUnbinding.
Step 2. Revoke authorization and notify Alipay+ of the unbinding result
When the user clicks the button to confirm unbinding, the MPP needs to take the following actions:
- Deactivate the access token at its side.
- Call the authNotify API to notify Alipay+ of the unbinding result, thus triggering the ACQP to revoke authorization.
For more information about how to call the authNotify API, see Send authorization notification.