OpenID Connect checklist

 In case you get an error message when going through the OpenID Flow the checklist below might be beneficial for you. The checklist assumes that you have read the documentation and that you've followed our recommendation on how to send the requests. If you haven't done so, please read it here 

You need to check the following, to ensure you will successfully implement OpenID Connect

Number Checklist

Description of solution

redirect_uri
1 Is the  redirect_uri whitelisted?

Have you used a redirect_uri that has been whitelisted at MobilePay? You can only use the redirect_uri that has been whitelisted. If it has not been whitelisted, you should write to developer@mobilepay.dk in order for it to be whitelisted.

You cannot use an redirect_uri that hasn’t been whitelisted by us. 

2

 Is the redirect_uri a https?

It should always be https (unless it is local host) otherwise you'll receive an error message

 

3

Do you use the same redirect_uri?

 

The URL’s need to be both on authorize https://sandprod-admin.mobilepay.dk/account/connect/authorize? and token requests  https://api.sandbox.mobilepay.dk/merchant-authentication-openidconnect/connect/token? 
parameters

4

Do you use the correct clientSecret and clientID

 

You should use the  clientID and ClientSecret from the zip file when getting/renewing access token

You should not use the x-ibm-client-id from the developer portal when doing your OpenID Connect requests. 

5 Do you use the correct scopes?

You should use the following for each product 

  • Invoice invoice openid offline_access 
  • Subscriptions subscriptions openid offline_access 
6 Is the Code Challenge correct?

 

 The code challenge must be within these requirements:
  • CodeChallengeMinLength = 43
  • CodeChallengeMaxLength = 128

You can see more about the code challenge here

7.  Do you use the code within 5 minutes? The code has a lifetime of 5 minutes and can only be used once.  Successive token requests with the same code will result in error and invalidation of previously accessed tokens.

 

 

...no luck? If that doesn't help you, please send us a report, as demonstrated here.