#stephendalygds_68993

Hi 👋

Yeah we don't really document this path but give me a minute to look

Can you share am API request ID for the /v1/tokens request? It will start with req_

Here's how you can find a request ID: https://support.stripe.com/questions/finding-the-id-for-an-api-request

Yep, here's one req_RQqW8nNXKLSbxR

Are you using the stripe-java client library?

We are not, but it looks like there isn't specific support for this request in the Java library, you can just provide a Map<String, Object> for the requests params which is similar to what we are doing.

Yes there is a section in the README about passing undocumented parameters and properties and that is how you would make this request: https://github.com/stripe/stripe-java#how-to-use-undocumented-parameters-and-properties

I just tried this, but got the same error - see req_LJefbSKK8RXZNj

My code looks like this:

        TokenCreateParams tokenCreateParams = TokenCreateParams.builder()
                .putAllExtraParam(Map.of("pk_token", paymentToken,
                        "pk_token_instrument_name", applePayPaymentData.getPaymentInfo().getDisplayName(),
                        "pk_token_payment_network", applePayPaymentData.getPaymentInfo().getNetwork(),
                        "pk_token_transaction_id", applePayPaymentData.getPaymentInfo().getTransactionIdentifier()))
                .build();
        return Token.create(tokenCreateParams, requestOptions);```

And you are returning a PKPay,mentToken to build this request, right? https://developer.apple.com/documentation/passkit/pkpaymenttoken

Yes applePayPaymentData originates from a PKPaymentToken and applePayPaymentData.getApplePayEncryptedPaymentData() is the paymentData property as defined here https://developer.apple.com/documentation/passkit/apple_pay/payment_token_format_reference#3949537

Okay so what we are looking for in the request to /v1/tokens is

pk_token=<PKPaymentToken.paymentData decoded as JSON> \
pk_token_instrument_name=<PKPaymentToken.paymentInstrumentName> \
pk_token_payment_network=<PKPaymentToken.paymentNetwork> \
pk_token_transaction_id=<PKPaymentToken.transactionIdentifier>

I'm pretty sure that's what I'm sending. By "decoded as JSON", does that mean a JSON string?
I'm trying to follow this code from your iOS library, and it looks like I'm doing the equivalent https://github.com/stripe/stripe-ios/blob/0bc45209383dfee68a24b8c82f28750491cf0daf/StripeApplePay/StripeApplePay/Source/PaymentsCore/API/Token%2BAPI.swift#L57

If I try to send a map rather than a String for the pk_token I get a different error, which would suggest to me that the request format is correct.

Yes if the pk_token parameter were the problem we would expect a different error

I'm trying to understand the source of this error. I was hopeful it had to do with some SSL cert and that the stripe-java library would help

My guess was the error message is referring to the Apple Pay Payment Processing certificate, is it not?

But it does look like the error is coming from the cryptogram validation process

Are there any clues as to where it's failing? Are the contents of pk_token as expected? I've already tried regenerating the Payment Processing Certificate with Apple and uploading the new one to Stripe. I also tried creating a new Merchant ID as suggested on https://stripe.com/docs/apple-pay/apps#troubleshooting

Question: Is this an existing application or are you building something brand new?

Because this error is due to the ApplePay certificate

We already have a Stripe integration, we're just trying to add Apple Pay now

Okay so this issue is with the certificate. You need to get the CSR from the Stripe Dashboard and use it to generate the ApplePay token

I have done this

see #1140683867238441020 message

Taking a look at the ApplePay cert with my colleagues

Thanks!

Okay we think this is a certificate mismatch. How are you collecting the Apple Pay? Is this an iOS app or a web page integration?

It's a web page integration

Are you calling this method? ApplePaySession.canMakePaymentsWithActiveCard?

If so can you share the code?

We are not calling this method. You can see our client-side javascript for Apple Pay here https://github.com/alphagov/pay-frontend/blob/master/app/assets/javascripts/browsered/web-payments/apple-pay.js
This is already working with a different payment gateway (Worldpay). We think that this code should work for Stripe if we just use a different Apple Pay Merchant ID with the Payment Processing certificate generated from the CSR downloaded from Stripe.

I've verified that we are using the same Merchant ID for the running code as for the certificate uploaded to the Stripe dashboard

Thanks, looking into this

Okay can you verify that the mechantIdentifier value in your back-end code that requests the Payment Session from Apple matches the value in the ApplePay certification?

The value needs to match the apple_merchant_name on the certificate you uploaded to Stripe

I have verified this is the case

You see merchant.uk.gov.service.payments.stripe.local in your back-end?

In this call: https://developer.apple.com/documentation/apple_pay_on_the_web/apple_pay_js_api/requesting_an_apple_pay_payment_session#3199967

Sorry if it seems repetitive, I just want to make sure we check everything

We validate the session with Apple Pay using the onvalidatemerchant event handler. This calls our backend here https://github.com/alphagov/pay-frontend/blob/master/app/controllers/web-payments/apple-pay/merchant-validation.controller.js#L31 which makes a request to Apple Pay to validate the session. You can see we we are providing the merchant ID and merchant identity certificate here.

I added some logging and can see the merchant ID is the same as for the certificate uploaded to Stripe: "merchantIdentifier":"merchant.uk.gov.service.payments.stripe.local"

Is there any way I can validate the CSR I downloaded and uploaded to Apple matches the private key that Stripe holds? Does the CSR regenerate each time I try to add an Apple Pay application in the Stripe dashboard? Is there any chance this has got out of sync?

I could try doing this again, but I have already tried recreating the certificate once before

Okay after some digging we suspect something is getting messed up in the pk_token value being passed in. The errors appear to be coming from the validation of the token.

Our API redacts the pk_token value in the API logs so all you see is ****** but for testing purposes you can change that parameter to pk_token_debug and make another request and then both you and we will be able to view the string passed in to see if anything is getting messed up there.

Ah great! I'll try that

The error has changed, it now says parameter_missing. But you can see the contents of the pk_token: req_rqunXwhyDQbYtM

Okay great. As a follow up, are you making the request for an Apple Pay Session in you onvalidatemerchant callback from your server? https://developer.apple.com/documentation/apple_pay_on_the_web/apple_pay_js_api/providing_merchant_validation

You send the data from the client back to your server to request the Session?

Yes, we are doing that

Okay, I just wanted to make sure. Still reviewing the contents of pk_token_debug

Thanks

Okay. Can you clarify what creates the applePayPaymentData object you call getApplePayEncryptedPaymentData() from?

At this point our best guess is something is going wrong with the character encoding

It's coming from the PKPaymentToken returned by Apple but it is sent from of our apps to another. I have tried logging the contents as soon as we get the PKPaymentToken from Apple and compared it to what we're sending to stripe in "pk_token", and they are equal - just the ordering of the properties in the JSON have changed.

Okay this rules out the data encoding issue we suspected.

At this point the only thing that it could possibly be is that Apple is encrypting the the data using a different certificate than the one you have uploaded to Stripe.

Is there any possibility that there are conflicting certificates in the different apps? Or could your hosting environment be caching the certificate being used?

👋 Hello! I've been working with @midnight quiver on this behind the scenes. I'm taking over so he can step away for lunch.

I've been looking through our code and the only thing I can think of that would explain this is a certificate mismatch. Specifically we can't verify the PKCS7 digest.

Hi @west dragon, thanks. We don't host the processing certificate - it's only in Apple, where we can only have one active processing certificate per Merchant ID and in Stripe

Right, but Apple also has it. Is it possible they have the wrong one?

Is there any way I can veify the certificate I've got uploaded to Apple with the private key/CSR that Stripe havE?

I can try downloading a new CSR from Stripe and regenerating the certificate with Apple, but I have already done this once

I'm not sure, it's been a while since I logged in to Apple's developer portal. What info do they give you there about the certificate being used?

They just give the merchant ID name and expiry date in the portal. But I can download the certificate, which I did when I uploaded to Stripe

🤔

Earlier you said:

I have tried logging the contents as soon as we get the PKPaymentToken from Apple and compared it to what we're sending to stripe in "pk_token", and they are equal - just the ordering of the properties in the JSON have changed.
Just to confirm, you were logging that client-side, correct?

Ah no, it was server-side actually. I can try adding in client-side logging to double check

That sounds good. I'm worried there might be a subtle encoding error when going from client to server.

Maybe something is getting URL encoded in the wrong place or something like that.

Ok I think you might have led me to the solution. I've tried sending the apple pay PKPaymentToken data as a String between our apps rather than as JSON, and I've finally got a success response creating a token - so it was probably something to do with the encoding!

Ah ha!

There must have been some difference that wasn't visible when I was logging the payload in the 2 places

Thanks so much! I think we can call this resolved

Awesome to hear it's working now! The data Apple provides is very picky/fragile when it comes to encoding and any kind of transformations (like JSON encoding), so this makes sense. Enjoy the rest of your day!

Thank you! You too!

One more question I have, that is maybe quicker to answer - do you know any way to test a Google Pay payment that requires 3D secure?

Do you have a custom Google Pay integration as well?

Or are you using Stripe's?

Also a custom Google Pay integration. We have that working, we're just hoping for a test card or magic value that will trigger 3D secure for the payment intent.

You can do a PAN_ONLY Google Pay transaction and use one fo the test card numbers here: https://stripe.com/docs/testing#regulatory-cards

Do you know how we can use those test card numbers with Google PAy? I'm currently testing with the Google Pay sandbox test cards that are available after joining the google group https://groups.google.com/g/googlepay-test-mode-stub-data

I think those all produce transactions with a cryptogram, correct?

Ah maybe, I'm not too familiar with the google pay integration. How would we start a pan_only transaction?

I'm not either, but looking... 🙂

Huh, this says they work for both: https://developers.google.com/pay/api/web/guides/resources/test-card-suite#mock-testing

But... how? 😅

Oh, here we go, you can probably just mock this? https://developers.google.com/pay/api/web/guides/resources/payment-data-cryptography#pan_only

Ah ok, so we'd probably have to hardcode some test data, rather than being able to test end-to-end with our deployed app?

I think so, if you specifically want to force Stripe to trigger 3D Secure in test mode.

There's some other info here: https://developers.google.com/pay/api/web/guides/resources/sca

Ah ok, thanks. And there's no way we could force Stripe to request 3DS for a payment intent using some value other than the card number such as the cardholder name or some other field?

You can do it with a custom Radar rule if you have Radar for Fraud Teams.

https://stripe.com/docs/radar/rules/reference

Would probably be easiest to key off metadata: https://stripe.com/docs/radar/rules/reference#metadata-attributes

Ah we do not have Radar for Fraud teams

I think you can turn it on in test mode to try it out without paying for it.

What do you see if you go here? https://dashboard.stripe.com/test/settings/radar/rules

Ah yes I can see there is a custom rule there we set up for testing, so should be able to use that

Thanks, I'll give that a go with custom rules tomorrow

Thanks again for all your help