[Project] Enable new PayPal integration for all hosts

[Betree]

PayPal payouts and the upcoming PayPal subscriptions both use the new PayPal integration, based on connected accounts. Today, we need to set either settings.features.paypalPayouts or settings.features.paypalDonations to true to enable the connect form in their settings.

Making that public would allow any host to quickly set up PayPal payments + PayPal payouts without having to contact us.

The main blocker right now is about invoicing: hosts with PayPal payments activated need to be invoiced for us to retrieve platform tips. @kewitz feel free to share if you see any other issue with this change. edit: solved with transaction settlements

[kewitz]

@Betree I believe we also use this ConnectedAccount to decide if we want to display the adaptive method in the frontend or not.
Do you think we should deprecate the adaptive method for paying expenses and enforce payouts?

[Betree]

Do you think we should deprecate the adaptive method for paying expenses and enforce payouts?

@kewitz Some hosts like https://opencollective.com/paris are still using it as their default, but yes I think we should figure out a migration path for them and make Payouts the new default (without removing adaptive yet). My understanding is that Payouts worked great so far (nice job implementing it!), has fewer fees, and is linked in the same way as the new PayPal payments integration - thus providing the feature at no additional cost.

There's no emergency, but it would be great for us to figure that out in the next few months.

[Betree]

Some feedback regarding payouts: The feature must be manually enabled for each PayPal account by contacting PayPal's support. Open Collective Paris started the process, but PayPal asked for additional documents and info that they didn't have the capacity to produce at that time.

We're therefore back to the legacy adaptive integration for them. While I still think we should push for the new integration as default, we should also preserve the legacy adaptive one for now as a backup solution for hosts having troubles with PayPal.

I'll try to better document this process of enabling PayPal payouts to make things easier in the future.

[Betree]

We get a lot of requests to enable PayPal payments. We should iterate on this soon, as it generates some support.

[Betree]

I forgot to push for this one in the new sprint but I'd love to prioritize it asap. We get a lot of support because of this issue, which takes engineering time and provides a slow experience for users.

[kewitz]

Adaptive payments are also marked as deprecated on PayPal documentation.
I think we should also deprecate Adaptive payments on our side when enabling the new PayPal Payouts integration as default.

[Betree]

Once public, we should add it to this screen

[DV8FromTheWorld]

This is a problem for our collective. We opted for an independent collective and the lack of paypal support for it is biting us hard as many of our supporters are European and do not wish to use credit cards.

Based on the github tracker, 1-time paypal was launched more than a year ago
#3267

And reoccurring paypal was launched almost a year ago now
#1141 (comment)

It feels like this should be live for everyone at this point. I dislike the feeling that I need to move our collective to the Open Source Fiscal Host to enjoy the benefits of Paypal.

[BenJam]

• schedule call to talk about approach

[BenJam]

• have convo, update here (thanks @znarf)

[Betree]

@DV8FromTheWorld Sorry for not replying sooner, we actually enable PayPal payments per host upon request - please contact support@opencollective.com and we'll activate it manually.

[Betree]

Project update (2022-05-30)

Identified challenges

• The current flow for connecting PayPal is very tech-oriented (create app, copy-paste tokens, etc). It feels wrong to enable that for everyone if we don't simplify first.
• There are two features related to the connected PayPal account: payments and payouts. Hosts may want to enable one without the other.
• Payouts require manual approval from PayPal, and it's possible that payments sometimes require that as well. We need to make sure we detect which features are accessible and guide users to enable the ones that are missing.
• Some hosts (OCNZ) want to keep using adaptive

Best solution for this problem: the ideal PayPal connect flow

1. Land on the "Accept financial contributions" page (or admin > (Receiving payments | Receiving money))
2. Click on the "Connect PayPal" button
3. Go through the PayPal OAuth flow
4. We use your OAuth token to create an app and store the credentials (make sure we properly setup the webhooks)
5. Detect the account features: payments and/or payouts
6. Provide guidance in the interface (whether all features are enabled, and how to do so if not)
7. Admins can disable/enable payments/payouts from admin > (Receiving payments | Receiving money)
8. Admins can revoke their PayPal connection

Uncertainties

Given the plan above, it's unclear at this point:

• Whether we can use PayPal OAuth to create an application (with full access to webhooks, payouts, payments)
• Whether these permissions will work in production (that might be limited to PayPal partners)

In order to solve these uncertain points, we want to have a quick experiment this week. We'll update the MVP below based on our findings.

MVP

• Deprecate adaptive for real (annoy people with some banners & messages) Deprecate/Remove PayPal adaptive #5923
• Add an opt-in flag for hosts that want to keep using adaptive, then consider Payouts as the default
• Update the "Accept financial contributions page" to add the PayPal option (needs design)
• Let hosts select the aspects of the connected PayPal account that they want to enable - Payouts (features.paypalPayouts) and/or donations (features.paypalDonations) in the flow to connect accounts. (needs design)
• Implement the "Connect PayPal" flow
  • If OAuth is possible, use the "ideal flow" suggested above
  • If it requires to be a PayPal partner, let's try to apply to become a partner
  • Otherwise, let's design a dedicated page with embedded documentation and form fields, to simplify as much as we can

Context & followup issues

• Flag to disable batching for hosts who don't pay many expenses
• Enforce settlement invoices payments

[Betree]

I just had a try with the "Login with PayPal" feature, which turned up to be unsuccessful because these tokens cannot be used to create an application (we need one to plug in the webhooks). Depending on what we do in the future, this could still be useful so I'm adding the code I used below.

Get OAuth code:

<script src="https://www.paypalobjects.com/js/external/api.js"></script>

  React.useEffect(() => {
    window.paypal.use(['login'], login => {
      login.render({
        appid: 'Ad5ki1-m_JgvB34NPkE64D8GXo4yRz_dQtZPxyGHNGoBBy90d9IIK-fI7i2S1AOdMSEpUfgIqQ3r5kc9',
        authend: 'sandbox',
        scopes: 'openid profile email https://uri.paypal.com/services/paypalattributes',
        containerid: 'connect-paypal-container',
        responseType: 'code',
        locale: 'en-us',
        theme: 'neutral',
        buttonType: 'LWP',
        buttonShape: 'pill',
        buttonSize: 'lg',
        fullPage: 'true',
        returnurl: encodeURIComponent('https://opencollective.com/connected-accounts/paypal'),
      });
    });
  }, []);

  return <div id="connect-paypal-container" />;

Exchange OAuth code for a token:

    const code = 'C21AAKTlK66mNF9utLMw5vsJHkXd9O_xT_MHYw7Ql11N12o-kbaVHCKXZ6VSL1Kzvqgtqqy95kebg7IeMDOcNYfyWcyqT08NQ';
    const paypalClientId = 'Ad5ki1-m_JgvB34NPkE64D8GXo4yRz_dQtZPxyGHNGoBBy90d9IIK-fI7i2S1AOdMSEpUfgIqQ3r5kc9';
    const paypalSecret = 'EHFmTPqC7YhvMchRU9qX89FDbXgif-lWLwJo5kr09CVGaGKRLzItK_Z_RmplGPHzlyhpOMkuTNOKazGG';
    const response = await fetch('https://api-m.sandbox.paypal.com/v1/oauth2/token', {
      method: 'POST',
      body: `grant_type=authorization_code&code=${code}`,
      headers: {
        Authorization: `Basic ${btoa(`${paypalClientId}:${paypalSecret}`)}`,
        'Content-Type': 'application/x-www-form-urlencoded',
      },
    });

    const result = await response.json();
    const token = result.access_token;

Exploring an alternative: Multiparty payments

While researching this I ended up on the documentation for multiparty payments. PayPal provides this API for marketplaces to onboard sellers and use their accounts to trigger payments. Multiparty payments can potentially solve our issues and beyond:

• It allows creating orders and subscriptions using a previously linked 3rd party PayPal account
• It could let us collect a PARTNER_FEE directly (similarly to what we do with PayPal)
• It provides a nice OAuth-like flow for hosts to connect or create their PayPal account
  

There are still two uncertainties with that feature:

1. Is it possible to access the Payout API through multiparty payments?
2. Would Open Collective get accepted as an approved partner?

[kewitz]

@Betree I think the marketplace path is the right implementation for Open Collective.
This is pretty much the equivalent implementation we have for Stripe, and if we want to fully support PayPal this is the way to do it.

I think you're spot on the only caveat: Payouts.

[Betree]

I contacted PayPal support with Inc's account through https://www.paypal-support.com/s/contactsupport?language=en_US to enquire about the Multiparty API and getting approved as a partner.

Hi,

We are looking for improvements in how we allow our users to connect their PayPal accounts on https://opencollective.com. Our website offers a simplified interface for fiscal hosts to collect and disburse money for their hosted projects. We use PayPal to achieve that by letting them accept financial contributions (including subscriptions) and then paying out expenses through the PayPal Payouts API.

Connecting the PayPal accounts is currently a tedious manual process where users have to create an application with the suitable options enabled and then link them on our website by copy-pasting credentials. We want to provide a more automated flow where users can connect their PayPal accounts through a simple OAuth flow.

The Multi-Party payments API (https://developer.paypal.com/docs/multiparty/seller-onboarding/) seems like the best option for us as it could solve many of our issues and fits well with our the fact that we're acting as a "marketplace" where "vendors" (fiscal hosts) can connect their accounts and let the platform trigger transactions for them.
We, however, have two uncertainties about this API we hope someone in your team can help elucidate:
Is it possible to access the PayPal Payouts API through multi-party?
It looks like it requires to be approved as a PayPal partner. What would it take for us to be accepted as such? We are a US-based company with records of important financial activity across the last five years.

I'm happy to jump on a call if these things can be more easily discussed live. You can reach me at benjamin@opencollective.com.

Best Regards,
Benjamin Piouffle

[shannondwray]

We are getting ALOT of requests for this atm. I probably sent about 6 to @SudharakaP today alone

[Betree]

This issue is still a real pain point for ops/support, but we may solve it differently by limiting the PayPal feature to partner hosts only. It's an important discussion that I think should be on the table for the preparation of the next sprint.

@SudharakaP For now, don't spend too much time on this; It's ok to enable by batch every two weeks, if not every month (unless it's an important account we want to onboard quickly).

[alanna]

This is still coming up a lot - as a stopgap, could we add something in the app that makes it more clear that Host admins need to contact us to switch this on?

To test, I just activated a brand new Host, and Paypal payouts is activated by default, and you can just click "connect paypal" on the host dashboard, with no information about what people need to do in order to use it. So it looks like it should just work, but people actually need to contact us.