Walmart Authentication

Walmart have changed their API handling to be app based similar like a lot other marketplaces (TikTok, Shein etc.) in which the customer installs the app and then all the API communication is happening through it. Because of this, Walmart are enforcing a new OAuth 2.0 token-based authorization for all approved service partners, and we as such, need to abide and implement this auth type.

The OAuth protocol enables a seller to grant a third-party application access to a seller’s protected data resources on Seller Center. This token-based authentication process reduces the number of required headers per API call and allows an easy integration with Walmart APIs.

In order for this to work, we will need to use our callbacks. We need to create a link which will get sent to the user so they can authenticate our app by logging into their Walmart Seller center. An important thing is that there is a requirement by Walmart that this gets done via a “Connect” button in our interface (they require this through a demo).

So based on this, our trigger would be a “Connect” button which will send the link to the user’s email address. We will need a new field in Channel Walmart called Client Email and a button called “Start Walmart Authorisation”. Upon pressing this button the user should receive the link in the email that was filled. After the button is pressed, we should raise the (new)flag of Channel Walmart> OAuth Began = Yes

The link we need to generate is as follows : https://login.account.wal-mart.com/consent?redirectUri=https://callbacks-new.wearepentagon.com/callbacks/walmart/authorize&nonce=L8VYPBYOO5&clientType=seller&clientId=2a44c735-6d2a-4061-8aa8-5436d9306fe1&state=123asd&responseType=code

Since we have an app now, it has its own clientId which we need to pass in the generated link, and also a client secret which is not used for the generated link. We want to introduce those and add them in the integrations_credentials table with label “Walmart”. Since we have only one app (for now) we don’t want to have an Integration field in Channel Walmart as there will be only one integration credentials. When creating the integrations_credentials please ask @Hristiyan Georgiev for the client id and client secret.Note ❗At the moment we have fields client_secret and client_id in Channel Walmart we need to deprecate and remove them.

Please note that ‘nonce’ is a randomly generated alphanumeric string, for example, ’22e0688e’, ’91d86d9′, or ‘1opjmhumpr’. This parameter is utilized solely in the process of authorization redirect, providing an extra layer of security. It’s important to note that the ‘nonce’ is not necessary for other API calls such as those involving access tokens or refresh tokens. We also need to generate the correct state in our link for the callback.

Once the link is followed the client needs to approve the authorization and will be redirected to our redirectUri, which needs to be https://callbacks-new.wearepentagon.com/callbacks/walmart/authorize. In the generated link, we will receive an auth_code and sellerId. Using the code and sellerId, we will be able to obtain the access and refresh tokens.

API Call : POST https://marketplace.walmartapis.com/v3/token API Docs : https://developer.walmart.com/us-marketplace/docs/log-in-and-authorize-app-scope-copy and https://developer.walmart.com/us-marketplace/reference/tokenapi

Request headers:

Request body:

Example response :

<OAuthTokenDTO>
    <accessToken>eyJraWQiOiIxZjAyYzhiYy0xY2ZhLTRiNTQtOWVjYS02MzBjNzdjOTE2ZGYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..2bDuLY_5WJ-am8Uz.MZYSIKfA1A7CyZ1gWNJU4HmmMXPCyFaF7_qgnqVa8EWfgkiFjlMB-8zwlyadZMvP44Q8vd4sHCFtsoDAU23D98aJPbfNKS1ZXWE7eLwe97ShRFgRwVCng7x9JU2poB1kgMr_iXuT4cTCO_64t-JhziPTC9ukWMqqpkzRbDaUR0efwjs29nt8-Txz3zF5bkyd3TCh891ztHWJH5n5h08ujyX_hotfpDPoO6ZxIMk4cRfNoI1KmLcFsj_e48UVGzMOZL3-zqSnjgyxwQfPq2K20AVI1jKtgMUgKlLbLnGwGv-eEo1Ci__-f1F2zncPX3O6GJL2PT2m4udJ3hz5uqCTuJrpQKkHozk2ntUcbwt4ewwkLHmT6tOOw1V6cRqn0p1K1C0ppx6Urh1ejEvpjFsiizMKVN2FKkvbgrSu6RqZc7a6qEs_xgEZ1i5UDSJp9-riZavbeQPiof-lx7k4zkmsDkTotE46rcXX8AKVpT2DV-BRtF2teWxDEsN2IMqzkCX8PObSibrSgchFpP8kO1T79hV0_enSyvc6I8nCimPd7DAMuDiV6G2MPxEo_HWgEMVJFOmA8mNAoPEDMScCn2wSzefqRaALyaeV8bkjshGrJXI6z7IMthSu9ZE_Y9YkZeuCp9oDcjhLxjUmJoHXWtB310mu15cNa8BBIwxg9snEneKDAOs6MT0Dj1cnp3G4KYm6sTho7BLVnByQJSiJiWhCOi_AoOwJ-GsA-hCl1V_PBEc7Kg_DXQUejuTse_cSoF7QpXBMwXByYVj1o4EcDXXK5BPRVdaWLSPjKcVOWk6zRMxYeImBapLz2vGSH3XEn767j5Q7F3DTwFHAocDeApHTeA5EWgYBzru-49wJ_4u-lCMsFdhRzoiWETIHozSAufc.6U4y1dolabtxgaGWDrY_ug</accessToken>
    <refreshToken>AIbQ_LQBgm2cuB3cGQ1h9PIyTqo4CJdkWDit6A1LXi1tw71nCJTy6tb_Ucp57gRJgT0OIV1CxRIGgH98Npa5DqE</refreshToken>
    <tokenType>Bearer</tokenType>
    <expiresIn>1800</expiresIn>
</OAuthTokenDTO>

We then need to save the access and refresh tokens. According to Walmart the refresh token is valid for 1 year, so we will need to set an expiry date of 1 year at the time of saving the refresh token. Please note that after the refresh token expires, the seller will again need to authorise our app so we can get a new refresh token. As a suggestion, we can send a new email explaining that the token is about to expire to the Channel > Client Email 5 days before the token expiry. This way we will ensure the email is sent in a timely manner allowing the sellers some time to refresh it.

We want to save the acessToken into Channel Walmart > Access Token and the refreshToken into Channel Walmart > Refresh Token these fields need to be hidden in the UI. We will need an additional field called Channel Walmart > Refresh Token Expiration Date where we will input the expiry date of the refresh token.

The access token expires every 15 minutes and we need to refresh it using the refresh token.

This is done via the same call as above, with the only difference being in the body, in which we need to send only the grant_type and refresh_token :

Example response :

<OAuthTokenDTO>
    <accessToken>eyJraWQiOiIxZjAyYzhiYy0xY2ZhLTRiNTQtOWVjYS02MzBjNzdjOTE2ZGYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..OkbVCJiXgTgHpmuB.iOY3U5LEGRLLJ7qr8vMdvy3dWoAn3frQEJtC1pfrPPXPssy1jBt2Vpe13HCRfFeEOg8xhZXzA4os8T0dJFMxuUy1tAxYQ6rIb7uljT_BdUpC-2TrQG3BJd25qC_jDjIhJ31lF-d6QXj4iY0MIS40Pb28tEDLCcfpxspWFI45wfYWszgQcUV7NtSxBVDsIovsypq9koYzimMnZ0nwTkND__zKCW7mDAduwO9PUtJD1lt86qEiBLG4_FrCce2ANEMyGw4pMX2VcqRTyzDy0VYSxdiftRtwBRqzePjNYKR1-LJv0l3Oj5EiR74TtWjEQn-t5u4DUJHZwM0xB8-hDOcvQ4PTpZsWYN0SYMd2XlIILvgGREEXXcQP_1ad3zx6eatAN-Ej33MRn3tG1Dj3LUipeDH3uSHkjqnIF-zDdWdr9sp4oktljVUy30_ronVCeru7_PeeNnNrKfo08v6G1yXPsKYtYYaUSXmFzzw323bmOceVLMprW1SlPSaixzMQCvxz4CTTOvY70RmpVyP52uadKL2wf9md4rrO4G4-bWNIAhsCGtja_d08F6uWn4NrUEPlVIilzbrxiYzfYajBYG2Me1iFPz36KsUe85Lr8ZYp8rVvZYYndkZLBVSO-UrliL4Jp97gUjI-MLxexeVwudZmZ7uzus5VkGY9DY3g9Gj_P_rMclWApytIYv6k89nkfJq5SQisW4PMY-PiAi8e_CS3LdKe9OhEc1bJwukm7i7jwzjucWSW9jAFPs_cEy6lESQtAhbO4Wt1NR3ys6nkMXhMkzrYqXndxEF_AXVyQ7QvUE3fguZNNJ4ggdNYvbDmpurii-XgZv5KicT0Ttv4_cK8CY4I1QYiCAmczUhMXfGasnO3MCdhv15-k7W9UYJuiEStW13SjLlM5yvUNoXaPte50LTg_cKtsAZAT74c8h065aD3l8Q3-TsxpCd9nlpDCFFJIzgP15Mgmaqp5KuPqyfbTXvtH1KPbpq37znXKm1wHcmfKpEf8bmKBsV7woT0bQb8Gl1i_CCT0UyQyrfIeeYDLN1tLYI3AfC1HgvaslIWqoLGQUdK9v4ah5mfBCdOAocDttSrgOd0SJNMPGtLpXyy.kcMcEdvsCpPZORCmJQhHng</accessToken>
    <tokenType>Bearer</tokenType>
    <expiresIn>1800</expiresIn>
</OAuthTokenDTO>

From the response we overwrite the accessToken into Channel Walmart > Access Token.

If we receive an error in any of the calls we want to display it in the terminal when run with DEVMODETRUE.