Updates to User Token Retrieval Flow, and New Application Settings Tool (Beta)

Update (8/14/2008): We've noticed a glitch with a couple of the new features in the Application Settings tool. Well, it IS a beta. We have temporarily disabled the ability to rename your keysets, and to add a custom logo and URL via the tool. You can still make those updates via the API. See this system announcement for information on this workaround, and status on the issue. We hope to have a fix in next week. We're sorry for any inconvenience!

We've made several improvements to the User Token retrieval process, and made it even easier for developers to configure and maintain their application-level settings. New features of the token retrieval process include:

• A new Application Settings Tool (Beta) is now available on http://developer.ebay.com for developers to view their stored user token, manage application-level Platform Notification and Client Notification settings, and customize the User Consent Page. Here's an example of a customized User Consent page:



Please try out the new tool at https://developer.ebay.com/DevZone/account/appsettings/ (requires login).

• Enhanced User Consent Page: There is a new way to set up the user consent flow for your application, and set other application-level settings.

The old user consent setup process involved making an RuName for your application using the SetRuName call, and then calling SetReturnURL to establish other application authentication settings. With the new Application Settings Tool, you set up your user consent flow by filling out a simple form.

The tool also lets you add your application logo and a URL to your User Consent Page, so users can learn more about your application.This improvement makes the User Consent Page more friendly to new users, helps reinforce your brand, and provides a way for users to find  more information about the application they are authorizing. 

For more information, please see http://developer.ebay.com/DevZone/XML/docs/WebHelp/GettingTokens-.html

• eBay UserID Verification Option: An ID Verification option has been added to the User Consent flow, for applications that only need to confirm an eBay member's UserID.  This option is supported at the RuName level, and allows an application to confirm an eBay member's UserID by taking the user through the standard User Consent Flow [also known as the Auth & Auth flow].  The application can use the new ConfirmIdentity call to verify the member's UserID that was provided at login time. 

For more information, please see http://developer.ebay.com/DevZone/XML/docs/WebHelp/GettingTokens-Getting_Tokens_for_Applications_with_Multiple_Users.html

We look forward to hear your feedback regarding this tool and will appreciate the suggestions and input.You could send your valuable feedback to developer-webmaster@ebay.com.

August 11, 2008 in Authentication & Authorization, Developer Website, Product News | Permalink

Identity Confirmation and User Tokens

We previously posted about Trusted Selling with Identity Confirmation. In certain cases, eBay will be requiring sellers to verify their identity by initiating an automated phone call to their registered phone number. If unable to do so, sellers can also contact Live Help for identity confirmation.

Developer Impact:
I have gotten some additional clarification about how this impacts developers. eBay sellers who list using 3rd party tools will not get identity checks when listing with these tools. They will, however, go through identity checks when they grant consent for the tool to list items on their behalf (i.e., when a new user token is generated).

If the eBay member is granting consent from an unrecognized computer, they may initiate an automated phone call from eBay to their registered phone number with a PIN number. That PIN number should be entered in the next screen.

Developers should be prepared for these identity checks when a user token has expired (and consent must be granted again), or when signing up a new customer (and consent is given for the first time). It's a good idea to prepare the eBay member for what they will experience, and to make sure they have a current phone number on file with eBay or add a mobile phone number as a secondary phone number.

This applies ONLY to developers who manage user tokens.

June 4, 2008 in Authentication & Authorization, Product News | Permalink

No Change to Auth & Auth for Identity Confirmation

Last week, you heard from John Canfield about Trusted Selling with Identity Confirmation. In certain cases, eBay will now be requiring people to enter a PIN received over the phone when they sign in to eBay.

Developer Impact:
Developers will not be required to make any changes to their applications as a result of this new process. If your application requires use of the Auth & Auth sign in process, when necessary, we will handle the PIN confirmation for you, before providing you with a token.

April 18, 2008 in Authentication & Authorization, Business News | Permalink

Auth & Auth Tokens: Upcoming 18-month Expiration

Authentication & Authorization (Auth & Auth) tokens have an 18-month maximum life before they expire and become invalid. To re-validate the token, users must be prompted to go through your application's Auth & Auth flow again.

eBay introduced Auth & Auth in April 2004. Developers of applications where users have not been prompted to authenticate since April 2004 will be impacted. Users of these applications will begin to encounter expired Auth & Auth tokens beginning in October 2005.

Developer Impact: In order to prevent a disruption of service, please make sure your application correctly handles expired tokens and sends the seller back through Auth & Auth to re-validate the token. You may wish to proactively check the expiration date of your tokens, and let affected users know when their token will expire. These users can then complete the Auth & Auth process before they are confronted with an invalidated Auth & Auth token.

For more information on Auth & Auth, please consult the eBay Web Services documentation.

September 13, 2005 in Authentication & Authorization, Critical Notes from Tech Support, Documentation | Permalink

Auth/Auth Redirect URL Change

This week eBay made a minor change to the URL used for third-party authentication and authorization ("auth & auth"). eBay API applications should continue to function normally with no change, since the current URL will continue to function for an indefinite period of time (the old URL will redirect to the new URL).

Currently, authentication URLs that begin with this string:
https://signin.ebay.com/saw-cgi/eBayISAPI.dll?SignIn&runame=
or this string:
https://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignIn&runame=
will now begin with this string:
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&runame=

Although this is not a breaking change, for efficiency, developers should update their code to use the new URL.

August 11, 2004 in Authentication & Authorization | Permalink | Comments (3)

Reminder: Authentication and Authorization

Remember, July 1, 2004 is the final date to update your application to use Auth & Auth. If you don't make this change, your application will break. For further details, click here.

June 14, 2004 in Authentication & Authorization | Permalink | Comments (0)

Client Solution for Authentication and Authorization

We are happy to announce the availability of our client-based solution for Authentication & Authorization (“Auth & Auth”). This solution uses a new call, FetchToken, enabling developers to receive a user's authentication token in a result set rather than being returned in a redirect URL (as is the case with the standard Auth & Auth procedure). You can review documentation on FetchToken here.

For developers who have already migrated to Auth & Auth and do not need this solution, thank you.

For developers using a temporary Auth & Auth solution for client-based apps, you have until July 1, 2004 to adopt this final FetchToken solution.

For developers who are waiting for FetchToken support in our SDK for Windows, it is now available here. The new date to adopt a final Auth & Auth solution for SDK for Windows users is July 1, 2004.

June 2, 2004 in Authentication & Authorization | Permalink | Comments (1)

New Landing Page for Authentication and Authorization

Based on your feedback, we are revising the second page of the Auth & Auth flow for users. We will be removing all of the specific uses on the page (which may or may not be applicable to certain applications) like "Display the status of items I watch, bid, or win," "Display the status of items I sell," etc., and instead encourage the users to review your privacy policies. This change will be implemented at the end of June.

June 2, 2004 in Authentication & Authorization | Permalink | Comments (0)

DTS Common Questions: Auth & Auth

We periodically publish answers to the some of the most common questions we're getting from our developer community. If you have a question (or an answer!) be sure to check out our developer forums and the knowledge base (kbuser/kbuser).

Q. What characters are permissible in a token?
A. Tokens are base 64 encoded. They can contain characters [a-Z] plus '*', '/', '+'.

Q. Is a token still valid if a user changes their password on eBay?
A. No. A token is hard expired as soon as a user changes their password on eBay. If the token is subsequently used in an API call, it will be rejected with a Hard Expiration error message. The user will need to complete the 3rd party authorization form in order to generate a new valid token. In some situations, the eBay Trust and Safety or Customer Support team needs to change a users password. In these cases, the user is always notified of the action that has taken place. Please keep in mind that this action will also hard expire a token.

The three situations in which a token can hard expire are:

+ The hard expiration date of the token is reached.
+ The user changes their password.
+ eBay expires the token due to security concerns.

In scenario 1, the 3rd party application will receive token Hard Expiration Warnings starting 7 days prior to the scheduled expiration date. In scenarios 2 and 3, the 3rd party application will not be notified of the hard expiration.

Q. How many RuNames can I use for my application?
A. The flexibility of the Authentication and Authorization feature allows you to created multiple RuNames. Each RuName can specify a unique AcceptURL and RejectURL. This gives you the ability to redirect your users back to different pages in your application, depending on where they came from.

You can set up RuNames via the API call SetReturnURL. You can also update existing RuNames with new URLs via this call, by changing the tag to "Set". For more information about SetReturnURL, refer to the API Documentation here.

March 25, 2004 in Authentication & Authorization | Permalink | Comments (0)

Forum Hot Topic: Auth & Auth

If you haven't already done so, be sure to check out the Developer Program forum dedicated to Auth & Auth. A lot of developers have chimed in — offering suggestions, complaints, you name it — and we encourage everyone making the transition to check it out.

March 4, 2004 in Authentication & Authorization | Permalink | Comments (0)