Payment Card Management

How to add, edit, and delete payment cards for Customers

imin provides a whitelabel Card Details app that Customers can use to save payment cards and, edit and delete existing ones.

These cards can then be used (and updated) by the Customer when they use Checkout to book sessions and slots.

Set-up

1. Domain name

The Card Details app will be hosted on your domain. For example, if your website is at https://acmebroker.com, Card Details would be hosted at https://cards.acmebroker.com.

What you need to do:

  1. We will provide you a DNS target e.g. example.rabbit123.herokusdns.com

  2. In your name server, add a CNAME record with:

    • Name: cards.{{Your primary domain name}} e.g. cards.acmebroker.com

    • Target/value: The DNS target we provided to you.

2. Prompt-less Authorization Code Flow

In order to create a seamless flow from your Customer dashboard to imin's Card Details app, we use OpenID Connect with prompt=none, defined in the OIDC spec here. This means that a logged in Customer will not be shown a login prompt when they navigate from your website to our Card Details app. Their existing login will be used to authorize them (and only them) to manage their cards.

For this to work, your Customers must already be logged in to your OpenID Provider.

Here's how you can set-up your OIDC Provider to allow prompt-less login:

2.1. Configure for Prompt-less

2.1.1. Auth0

  1. Create an auth0 Application for imin's card details app (it must be a First Party App, which they are by default).

  2. Follow this to turn on prompt-less login for this Application: https://community.auth0.com/t/how-do-i-skip-the-consent-page-for-my-api-authorization-flow/6035.

  3. Enable Single Sign-On in your tenant settings (https://auth0.com/docs/dashboard/guides/tenants/enable-sso-tenant) so that a user's login with your main client can be transferred to the imin card details client.

2.1.2. Self-hosted

If you are hosting your own OpenID Provider, look for guidance within the framework that you're using. We strongly recommend that you use a mature and established OpenID Provider framework as it should be secure and well documented.

As discussed in Prompt-less Auth, you will need to set-up your OIDC Provider to allow Authorization Code Flow with prompt=none.

2.2. Next steps

Then:

What you need to do:

  1. Let imin know where it can find your OpenID Provider's Discovery endpoint.

  2. Create and share with imin a client ID and client secret which imin can use to authenticate with your OpenID Provider.

    • These client credentials should be whitelisted to allow for prompt-less auth. How you do so depends on your set-up.

  3. Provide a Broker Customer Dashboard URL to imin. At this URL, a Customer would find their account page within your Broker. This will be used to direct Customers back to their account page.

3. Use the Card Details app

Once everything is set-up, add a link/button to your Customer account page, which redirects them to https://cards.{{domain name}}/edit e.g. https://cards.acmebroker.com/edit.

Last updated