3

I have a web site and I want to offer a few levels of service - one free, one for a one-off payment, and one for a subscription. My first inclination is to use Paypal for the payment options. I understand that I can make some login page on my site where you create an account or login to an existing account, and then I can make an API call to Paypal to see what they've paid for and give them the appropriate level of access, and redirect to Paypal for them to pay for the access they want. I'm not sure yet if the free service will require a login or not.

But having read Joel Spolsky's and Bruce Schnier's blogs, I'm conscious of how hard it is to do authentication right, and what a pain it is for users to have to create an account or login to my site, and then create an account or login to Paypal. Is there a way to use Paypal's login system directly, so they login to Paypal and Paypal sends me back a token saying who they are and what they've paid for? That kind of sounds like almost an OpenID, or something similar?

Paul Tomblin
  • 1,949
  • 1
  • 15
  • 19

2 Answers2

2

It's possible that not all user's have PayPal so if you want to use them for authentication it's best to have some other options such as FaceBook or OpenID. That way the users using the free option will be more comfortable than having to use PayPal up front where they might think they could be charged and may opt out.

But there is an option (Paypal Account Authentication) to do what you're suggesting, but it looks like it is a new thing and not widely used or accepted yet for application authentication. They also state that it's not intended as a federated identity or single sign-on as is OpenID.

Turnkey
  • 1,697
  • 9
  • 10
  • Actually, I think the free option won't require a sign-on. So I don't think I need the openid or facebook option. – Paul Tomblin Sep 10 '11 at 13:04
  • 1
    In that case it might be worth going for just the PayPal authentication if your free app has no user id requirements. Please update this question later on after you've tried the concept for future reference. – Turnkey Sep 10 '11 at 16:32
0

Even if you use PayPal authentication, you still need to store lots of information about your users, if you want to act professionally and provide high-level, worthy service. Consider SE sites for example. While they provide almost all kinds of authentication mechanisms, they still store a very good amount of data for each user, including his/her questions, badges, tags, etc.

Talking from my own experience, I think a day comes when you need to implement your own solution. Thus I suggest you create it, instead of trying to reuse it.

Also keep in mind that PayPal (or OpenID in general) is an external service and it might be filtered in some countries, and it might have some special policies in other countries. This means that instead of defining your own business, you should follow their business. In other words, I think you shouldn't become dependent on external resources, or you get engaged in issues which are not related to programming at all, and are in nature law-based issues, unless you have a lawyer at your service.

Saeed Neamati
  • 18,142
  • 23
  • 87
  • 125