feat(authentication): add authentication api for modular authentication (#8459)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>

api-reference/v1/openapi_spec_v1.json

@@ -30012,7 +30012,7 @@
       "ThreeDsData": {
         "type": "object",
         "required": [
-          "threeds_server_transaction_id",
+          "three_ds_server_transaction_id",
           "maximum_supported_3ds_version",
           "connector_authentication_id",
           "three_ds_method_data",
@@ -30021,7 +30021,7 @@
           "directory_server_id"
         ],
         "properties": {
-          "threeds_server_transaction_id": {
+          "three_ds_server_transaction_id": {
             "type": "string",
             "description": "The unique identifier for this authentication from the 3DS server."
           },

crates/api_models/src/authentication.rs

@@ -11,9 +11,9 @@ use serde::{Deserialize, Serialize};
 use time::PrimitiveDateTime;
 use utoipa::ToSchema;
 
-use crate::payments::CustomerDetails;
 #[cfg(feature = "v1")]
 use crate::payments::{Address, BrowserInformation, PaymentMethodData};
+use crate::payments::{CustomerDetails, DeviceChannel, SdkInformation, ThreeDsCompletionIndicator};
 
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct AuthenticationCreateRequest {
@@ -282,7 +282,7 @@ pub enum EligibilityResponseParams {
 pub struct ThreeDsData {
     /// The unique identifier for this authentication from the 3DS server.
     #[schema(value_type = String)]
-    pub threeds_server_transaction_id: Option<String>,
+    pub three_ds_server_transaction_id: Option<String>,
     /// The maximum supported 3DS version.
     #[schema(value_type = String)]
     pub maximum_supported_3ds_version: Option<common_utils::types::SemanticVersion>,
@@ -328,3 +328,80 @@ impl ApiEventMetric for AuthenticationEligibilityResponse {
         })
     }
 }
+
+#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
+pub struct AuthenticationAuthenticateRequest {
+    /// Authentication ID for the authentication
+    #[serde(skip_deserializing)]
+    pub authentication_id: id_type::AuthenticationId,
+    /// Client secret for the authentication
+    #[schema(value_type = String)]
+    pub client_secret: Option<masking::Secret<String>>,
+    /// SDK Information if request is from SDK
+    pub sdk_information: Option<SdkInformation>,
+    /// Device Channel indicating whether request is coming from App or Browser
+    pub device_channel: DeviceChannel,
+    /// Indicates if 3DS method data was successfully completed or not
+    pub threeds_method_comp_ind: ThreeDsCompletionIndicator,
+}
+
+impl ApiEventMetric for AuthenticationAuthenticateRequest {
+    fn get_api_event_type(&self) -> Option<ApiEventsType> {
+        Some(ApiEventsType::Authentication {
+            authentication_id: self.authentication_id.clone(),
+        })
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
+pub struct AuthenticationAuthenticateResponse {
+    /// Indicates the transaction status
+    #[serde(rename = "trans_status")]
+    #[schema(value_type = Option<TransactionStatus>)]
+    pub transaction_status: Option<common_enums::TransactionStatus>,
+    /// Access Server URL to be used for challenge submission
+    pub acs_url: Option<url::Url>,
+    /// Challenge request which should be sent to acs_url
+    pub challenge_request: Option<String>,
+    /// Unique identifier assigned by the EMVCo(Europay, Mastercard and Visa)
+    pub acs_reference_number: Option<String>,
+    /// Unique identifier assigned by the ACS to identify a single transaction
+    pub acs_trans_id: Option<String>,
+    /// Unique identifier assigned by the 3DS Server to identify a single transaction
+    pub three_ds_server_transaction_id: Option<String>,
+    /// Contains the JWS object created by the ACS for the ARes(Authentication Response) message
+    pub acs_signed_content: Option<String>,
+    /// Three DS Requestor URL
+    pub three_ds_requestor_url: String,
+    /// Merchant app declaring their URL within the CReq message so that the Authentication app can call the Merchant app after OOB authentication has occurred
+    pub three_ds_requestor_app_url: Option<String>,
+
+    /// The error message for this authentication.
+    #[schema(value_type = String)]
+    pub error_message: Option<String>,
+    /// The error code for this authentication.
+    #[schema(value_type = String)]
+    pub error_code: Option<String>,
+    /// The authentication value for this authentication, only available in case of server to server request. Unavailable in case of client request due to security concern.
+    #[schema(value_type = String)]
+    pub authentication_value: Option<masking::Secret<String>>,
+    /// ECI indicator of the card, only available in case of server to server request. Unavailable in case of client request due to security concern.
+    pub eci: Option<String>,
+    /// The current status of the authentication (e.g., Started).
+    #[schema(value_type = AuthenticationStatus)]
+    pub status: common_enums::AuthenticationStatus,
+    /// The connector to be used for authentication, if known.
+    #[schema(value_type = Option<AuthenticationConnectors>, example = "netcetera")]
+    pub authentication_connector: Option<AuthenticationConnectors>,
+    /// The unique identifier for this authentication.
+    #[schema(value_type = String, example = "auth_mbabizu24mvu3mela5njyhpit4")]
+    pub authentication_id: id_type::AuthenticationId,
+}
+
+impl ApiEventMetric for AuthenticationAuthenticateResponse {
+    fn get_api_event_type(&self) -> Option<ApiEventsType> {
+        Some(ApiEventsType::Authentication {
+            authentication_id: self.authentication_id.clone(),
+        })
+    }
+}

crates/hyperswitch_connectors/src/connectors/unified_authentication_service.rs

@@ -27,8 +27,8 @@ use hyperswitch_domain_models::{
     },
     router_response_types::{PaymentsResponseData, RefundsResponseData},
     types::{
-        UasAuthenticationConfirmationRouterData, UasPostAuthenticationRouterData,
+        UasAuthenticationConfirmationRouterData, UasAuthenticationRouterData,
-        UasPreAuthenticationRouterData,
+        UasPostAuthenticationRouterData, UasPreAuthenticationRouterData,
     },
 };
 use hyperswitch_interfaces::{
@@ -490,6 +490,107 @@ impl
 impl ConnectorIntegration<Authenticate, UasAuthenticationRequestData, UasAuthenticationResponseData>
     for UnifiedAuthenticationService
 {
+    fn get_headers(
+        &self,
+        req: &UasAuthenticationRouterData,
+        connectors: &Connectors,
+    ) -> CustomResult<Vec<(String, masking::Maskable<String>)>, errors::ConnectorError> {
+        self.build_headers(req, connectors)
+    }
+
+    fn get_content_type(&self) -> &'static str {
+        self.common_get_content_type()
+    }
+
+    fn get_url(
+        &self,
+        _req: &UasAuthenticationRouterData,
+        connectors: &Connectors,
+    ) -> CustomResult<String, errors::ConnectorError> {
+        Ok(format!(
+            "{}authentication_initiation",
+            self.base_url(connectors)
+        ))
+    }
+
+    fn get_request_body(
+        &self,
+        req: &UasAuthenticationRouterData,
+        _connectors: &Connectors,
+    ) -> CustomResult<RequestContent, errors::ConnectorError> {
+        let transaction_details = req.request.transaction_details.clone();
+        let amount = utils::convert_amount(
+            self.amount_converter,
+            transaction_details
+                .amount
+                .ok_or(errors::ConnectorError::MissingRequiredField {
+                    field_name: "amount",
+                })?,
+            transaction_details
+                .currency
+                .ok_or(errors::ConnectorError::MissingRequiredField {
+                    field_name: "currency",
+                })?,
+        )?;
+
+        let connector_router_data =
+            unified_authentication_service::UnifiedAuthenticationServiceRouterData::from((
+                amount, req,
+            ));
+        let connector_req = unified_authentication_service::UnifiedAuthenticationServiceAuthenticateRequest::try_from(
+                    &connector_router_data,
+                )?;
+        Ok(RequestContent::Json(Box::new(connector_req)))
+    }
+
+    fn build_request(
+        &self,
+        req: &UasAuthenticationRouterData,
+        connectors: &Connectors,
+    ) -> CustomResult<Option<Request>, errors::ConnectorError> {
+        Ok(Some(
+            RequestBuilder::new()
+                .method(Method::Post)
+                .url(&types::UasAuthenticationType::get_url(
+                    self, req, connectors,
+                )?)
+                .attach_default_headers()
+                .headers(types::UasAuthenticationType::get_headers(
+                    self, req, connectors,
+                )?)
+                .set_body(types::UasAuthenticationType::get_request_body(
+                    self, req, connectors,
+                )?)
+                .build(),
+        ))
+    }
+
+    fn handle_response(
+        &self,
+        data: &UasAuthenticationRouterData,
+        event_builder: Option<&mut ConnectorEvent>,
+        res: Response,
+    ) -> CustomResult<UasAuthenticationRouterData, errors::ConnectorError> {
+        let response: unified_authentication_service::UnifiedAuthenticationServiceAuthenticateResponse =
+        res.response
+            .parse_struct("UnifiedAuthenticationService UnifiedAuthenticationServiceAuthenticateResponse")
+            .change_context(errors::ConnectorError::ResponseDeserializationFailed)?;
+        event_builder.map(|i| i.set_response_body(&response));
+        router_env::logger::info!(connector_response=?response);
+        RouterData::try_from(ResponseRouterData {
+            response,
+            data: data.clone(),
+            http_code: res.status_code,
+        })
+    }
+
+    fn get_error_response(
+        &self,
+        res: Response,
+        event_builder: Option<&mut ConnectorEvent>,
+    ) -> CustomResult<ErrorResponse, errors::ConnectorError> {
+        self.build_error_response(res, event_builder)
+    }
 }
 
 impl ConnectorIntegration<PSync, PaymentsSyncData, PaymentsResponseData>

crates/hyperswitch_connectors/src/connectors/unified_authentication_service/transformers.rs

@@ -2,14 +2,18 @@ use common_enums::{enums, MerchantCategoryCode};
 use common_types::payments::MerchantCountryCode;
 use common_utils::types::FloatMajorUnit;
 use hyperswitch_domain_models::{
+    ext_traits::OptionExt,
     router_data::{ConnectorAuthType, RouterData},
-    router_request_types::unified_authentication_service::{
+    router_request_types::{
-        AuthenticationInfo, DynamicData, PostAuthenticationDetails, PreAuthenticationDetails,
+        authentication::{AuthNFlowType, ChallengeParams},
-        TokenDetails, UasAuthenticationResponseData,
+        unified_authentication_service::{
+            AuthenticationInfo, DynamicData, PostAuthenticationDetails, PreAuthenticationDetails,
+            TokenDetails, UasAuthenticationResponseData,
+        },
     },
     types::{
-        UasAuthenticationConfirmationRouterData, UasPostAuthenticationRouterData,
+        UasAuthenticationConfirmationRouterData, UasAuthenticationRouterData,
-        UasPreAuthenticationRouterData,
+        UasPostAuthenticationRouterData, UasPreAuthenticationRouterData,
     },
 };
 use hyperswitch_interfaces::errors;
@@ -34,6 +38,8 @@ impl<T> From<(FloatMajorUnit, T)> for UnifiedAuthenticationServiceRouterData<T>
     }
 }
 
+use error_stack::ResultExt;
+
 #[derive(Debug, Serialize)]
 pub struct UnifiedAuthenticationServicePreAuthenticateRequest {
     pub authenticate_by: String,
@@ -135,7 +141,8 @@ pub enum MessageCategory {
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ThreeDSData {
-    pub preferred_protocol_version: Option<common_utils::types::SemanticVersion>,
+    pub preferred_protocol_version: common_utils::types::SemanticVersion,
+    pub threeds_method_comp_ind: api_models::payments::ThreeDsCompletionIndicator,
 }
 
 #[derive(Default, Clone, Debug, Serialize, Deserialize, PartialEq)]
@@ -775,3 +782,242 @@ pub struct ThreeDsMethodData {
     pub three_ds_method_notification_url: String,
     pub server_transaction_id: String,
 }
+
+#[derive(Serialize, Debug)]
+pub struct UnifiedAuthenticationServiceAuthenticateRequest {
+    pub authenticate_by: String,
+    pub source_authentication_id: common_utils::id_type::AuthenticationId,
+    pub transaction_details: TransactionDetails,
+    pub device_details: DeviceDetails,
+    pub customer_details: Option<CustomerDetails>,
+    pub auth_creds: UnifiedAuthenticationServiceAuthType,
+}
+
+#[derive(Default, Debug, Serialize, PartialEq)]
+pub struct ServiceDetails {
+    pub service_session_ids: Option<ServiceSessionIds>,
+    pub merchant_details: Option<MerchantDetails>,
+}
+
+#[derive(Serialize, Debug, Clone, Deserialize)]
+#[serde(untagged)]
+pub enum UnifiedAuthenticationServiceAuthenticateResponse {
+    Success(Box<ThreeDsResponseData>),
+    Failure(UnifiedAuthenticationServiceErrorResponse),
+}
+
+#[derive(Serialize, Debug, Clone, Deserialize)]
+pub struct ThreeDsResponseData {
+    pub three_ds_auth_response: ThreeDsAuthDetails,
+}
+
+#[derive(Serialize, Debug, Clone, Deserialize)]
+pub struct ThreeDsAuthDetails {
+    pub three_ds_server_trans_id: String,
+    pub acs_trans_id: String,
+    pub acs_reference_number: String,
+    pub acs_operator_id: Option<String>,
+    pub ds_reference_number: String,
+    pub ds_trans_id: String,
+    pub sdk_trans_id: Option<String>,
+    pub trans_status: common_enums::TransactionStatus,
+    pub acs_challenge_mandated: Option<ACSChallengeMandatedEnum>,
+    pub message_type: String,
+    pub message_version: String,
+    pub acs_url: Option<url::Url>,
+    pub challenge_request: Option<String>,
+    pub acs_signed_content: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
+    pub eci: Option<String>,
+}
+
+#[derive(Debug, Serialize, Clone, Copy, Deserialize)]
+pub enum ACSChallengeMandatedEnum {
+    /// Challenge is mandated
+    Y,
+    /// Challenge is not mandated
+    N,
+}
+
+#[derive(Clone, Serialize, Debug)]
+pub struct DeviceDetails {
+    pub device_channel: api_models::payments::DeviceChannel,
+    pub browser_info: Option<BrowserInfo>,
+    pub sdk_info: Option<api_models::payments::SdkInformation>,
+}
+
+impl TryFrom<&UnifiedAuthenticationServiceRouterData<&UasAuthenticationRouterData>>
+    for UnifiedAuthenticationServiceAuthenticateRequest
+{
+    type Error = error_stack::Report<errors::ConnectorError>;
+    fn try_from(
+        item: &UnifiedAuthenticationServiceRouterData<&UasAuthenticationRouterData>,
+    ) -> Result<Self, Self::Error> {
+        let authentication_id = item.router_data.authentication_id.clone().ok_or(
+            errors::ConnectorError::MissingRequiredField {
+                field_name: "authentication_id",
+            },
+        )?;
+
+        let browser_info =
+            if let Some(browser_details) = item.router_data.request.browser_details.clone() {
+                BrowserInfo {
+                    color_depth: browser_details.color_depth,
+                    java_enabled: browser_details.java_enabled,
+                    java_script_enabled: browser_details.java_script_enabled,
+                    language: browser_details.language,
+                    screen_height: browser_details.screen_height,
+                    screen_width: browser_details.screen_width,
+                    time_zone: browser_details.time_zone,
+                    ip_address: browser_details.ip_address,
+                    accept_header: browser_details.accept_header,
+                    user_agent: browser_details.user_agent,
+                    os_type: browser_details.os_type,
+                    os_version: browser_details.os_version,
+                    device_model: browser_details.device_model,
+                    accept_language: browser_details.accept_language,
+                }
+            } else {
+                BrowserInfo::default()
+            };
+
+        let three_ds_data = ThreeDSData {
+            preferred_protocol_version: item
+                .router_data
+                .request
+                .pre_authentication_data
+                .message_version
+                .clone(),
+            threeds_method_comp_ind: item.router_data.request.threeds_method_comp_ind.clone(),
+        };
+
+        let device_details = DeviceDetails {
+            device_channel: item
+                .router_data
+                .request
+                .transaction_details
+                .device_channel
+                .clone()
+                .ok_or(errors::ConnectorError::MissingRequiredField {
+                    field_name: "device_channel",
+                })?,
+            browser_info: Some(browser_info),
+            sdk_info: item.router_data.request.sdk_information.clone(),
+        };
+
+        let message_category = item.router_data.request.transaction_details.message_category.clone().map(|category| match category {
+            hyperswitch_domain_models::router_request_types::authentication::MessageCategory::Payment => MessageCategory::Payment ,
+            hyperswitch_domain_models::router_request_types::authentication::MessageCategory::NonPayment => MessageCategory::NonPayment,
+        });
+
+        let transaction_details = TransactionDetails {
+            amount: item.amount,
+            currency: item
+                .router_data
+                .request
+                .transaction_details
+                .currency
+                .get_required_value("currency")
+                .change_context(errors::ConnectorError::InSufficientBalanceInPaymentMethod)?,
+            date: None,
+            pan_source: None,
+            protection_type: None,
+            entry_mode: None,
+            transaction_type: None,
+            otp_value: None,
+            three_ds_data: Some(three_ds_data),
+            message_category,
+        };
+        let auth_type =
+            UnifiedAuthenticationServiceAuthType::try_from(&item.router_data.connector_auth_type)?;
+
+        Ok(Self {
+            authenticate_by: item.router_data.connector.clone(),
+            source_authentication_id: authentication_id,
+            transaction_details,
+            auth_creds: auth_type,
+            device_details,
+            customer_details: None,
+        })
+    }
+}
+
+impl<F, T>
+    TryFrom<
+        ResponseRouterData<
+            F,
+            UnifiedAuthenticationServiceAuthenticateResponse,
+            T,
+            UasAuthenticationResponseData,
+        >,
+    > for RouterData<F, T, UasAuthenticationResponseData>
+{
+    type Error = error_stack::Report<errors::ConnectorError>;
+    fn try_from(
+        item: ResponseRouterData<
+            F,
+            UnifiedAuthenticationServiceAuthenticateResponse,
+            T,
+            UasAuthenticationResponseData,
+        >,
+    ) -> Result<Self, Self::Error> {
+        let response = match item.response {
+            UnifiedAuthenticationServiceAuthenticateResponse::Success(auth_response) => {
+                let authn_flow_type = match auth_response
+                    .three_ds_auth_response
+                    .acs_challenge_mandated
+                {
+                    Some(ACSChallengeMandatedEnum::Y) => {
+                        AuthNFlowType::Challenge(Box::new(ChallengeParams {
+                            acs_url: auth_response.three_ds_auth_response.acs_url.clone(),
+                            challenge_request: auth_response
+                                .three_ds_auth_response
+                                .challenge_request,
+                            acs_reference_number: Some(
+                                auth_response.three_ds_auth_response.acs_reference_number,
+                            ),
+                            acs_trans_id: Some(auth_response.three_ds_auth_response.acs_trans_id),
+                            three_dsserver_trans_id: Some(
+                                auth_response
+                                    .three_ds_auth_response
+                                    .three_ds_server_trans_id,
+                            ),
+                            acs_signed_content: auth_response
+                                .three_ds_auth_response
+                                .acs_signed_content,
+                        }))
+                    }
+                    Some(ACSChallengeMandatedEnum::N) | None => AuthNFlowType::Frictionless,
+                };
+                Ok(UasAuthenticationResponseData::Authentication {
+                    authentication_details: hyperswitch_domain_models::router_request_types::unified_authentication_service::AuthenticationDetails {
+                        authn_flow_type,
+                        authentication_value: auth_response.three_ds_auth_response.authentication_value,
+                        trans_status: auth_response.three_ds_auth_response.trans_status,
+                        connector_metadata: None,
+                        ds_trans_id: Some(auth_response.three_ds_auth_response.ds_trans_id),
+                        eci: auth_response.three_ds_auth_response.eci,
+                    },
+                })
+            }
+            UnifiedAuthenticationServiceAuthenticateResponse::Failure(error_response) => {
+                Err(hyperswitch_domain_models::router_data::ErrorResponse {
+                    code: hyperswitch_interfaces::consts::NO_ERROR_CODE.to_string(),
+                    message: error_response.error.clone(),
+                    reason: None,
+                    status_code: item.http_code,
+                    attempt_status: None,
+                    connector_transaction_id: None,
+                    network_advice_code: None,
+                    network_decline_code: None,
+                    network_error_message: None,
+                })
+            }
+        };
+
+        Ok(Self {
+            response,
+            ..item.data
+        })
+    }
+}

crates/hyperswitch_domain_models/src/authentication.rs

@@ -55,10 +55,10 @@ pub struct Authentication {
     pub return_url: Option<String>,
     pub amount: Option<common_utils::types::MinorUnit>,
     pub currency: Option<common_enums::Currency>,
-    #[encrypt]
+    #[encrypt(ty = Value)]
-    pub billing_address: Option<Encryptable<Secret<Value>>>,
+    pub billing_address: Option<Encryptable<crate::address::Address>>,
-    #[encrypt]
+    #[encrypt(ty = Value)]
-    pub shipping_address: Option<Encryptable<Secret<Value>>>,
+    pub shipping_address: Option<Encryptable<crate::address::Address>>,
     pub browser_info: Option<Value>,
     pub email: Option<Encryptable<Secret<String, pii::EmailStrategy>>>,
 }

crates/hyperswitch_domain_models/src/payment_method_data.rs

@@ -96,6 +96,14 @@ impl PaymentMethodData {
         }
     }
 
+    pub fn get_card_data(&self) -> Option<&Card> {
+        if let Self::Card(card) = self {
+            Some(card)
+        } else {
+            None
+        }
+    }
+
     pub fn extract_debit_routing_saving_percentage(
         &self,
         network: &common_enums::CardNetwork,

crates/hyperswitch_domain_models/src/router_request_types/unified_authentication_service.rs

@@ -5,7 +5,7 @@ use common_utils::types::MinorUnit;
 use masking::Secret;
 use time::PrimitiveDateTime;
 
-use crate::{address::Address, payment_method_data::PaymentMethodData};
+use crate::address::Address;
 
 #[derive(Clone, Debug)]
 pub struct UasPreAuthenticationRequestData {
@@ -43,9 +43,6 @@ pub struct AuthenticationInfo {
 }
 #[derive(Clone, Debug)]
 pub struct UasAuthenticationRequestData {
-    pub payment_method_data: PaymentMethodData,
-    pub billing_address: Address,
-    pub shipping_address: Option<Address>,
     pub browser_details: Option<super::BrowserInformation>,
     pub transaction_details: TransactionDetails,
     pub pre_authentication_data: super::authentication::PreAuthenticationData,
@@ -53,7 +50,6 @@ pub struct UasAuthenticationRequestData {
     pub sdk_information: Option<api_models::payments::SdkInformation>,
     pub email: Option<common_utils::pii::Email>,
     pub threeds_method_comp_ind: api_models::payments::ThreeDsCompletionIndicator,
-    pub three_ds_requestor_url: String,
     pub webhook_url: String,
 }
 

crates/router/src/core/payments.rs

@@ -9201,15 +9201,7 @@ pub async fn payment_external_authentication<F: Clone + Sync>(
             <ExternalAuthentication as UnifiedAuthenticationService>::authentication(
                 &state,
                 &business_profile,
-                payment_method_details.1,
+                &payment_method_details.1,
-                payment_method_details.0,
-                billing_address
-                    .as_ref()
-                    .map(|address| address.into())
-                    .ok_or(errors::ApiErrorResponse::MissingRequiredField {
-                        field_name: "billing_address",
-                    })?,
-                shipping_address.as_ref().map(|address| address.into()),
                 browser_info,
                 Some(amount),
                 Some(currency),
@@ -9221,7 +9213,6 @@ pub async fn payment_external_authentication<F: Clone + Sync>(
                 req.threeds_method_comp_ind,
                 optional_customer.and_then(|customer| customer.email.map(pii::Email::from)),
                 webhook_url,
-                authentication_details.three_ds_requestor_url.clone(),
                 &merchant_connector_account,
                 &authentication_connector,
                 Some(payment_intent.payment_id),

crates/router/src/core/unified_authentication_service.rs

@@ -7,7 +7,10 @@ use api_models::authentication::{
     AuthenticationEligibilityRequest, AuthenticationEligibilityResponse,
 };
 use api_models::{
-    authentication::{AcquirerDetails, AuthenticationCreateRequest, AuthenticationResponse},
+    authentication::{
+        AcquirerDetails, AuthenticationAuthenticateRequest, AuthenticationAuthenticateResponse,
+        AuthenticationCreateRequest, AuthenticationResponse,
+    },
     payments,
 };
 #[cfg(feature = "v1")]
@@ -42,6 +45,7 @@ use crate::{
     core::{
         authentication::utils as auth_utils,
         errors::utils::StorageErrorExt,
+        payments::helpers,
         unified_authentication_service::types::{
             ClickToPay, ExternalAuthentication, UnifiedAuthenticationService,
             UNIFIED_AUTHENTICATION_SERVICE,
@@ -50,6 +54,7 @@ use crate::{
     },
     db::domain,
     routes::SessionState,
+    services::AuthFlow,
     types::{domain::types::AsyncLift, transformers::ForeignTryFrom},
 };
 
@@ -373,9 +378,6 @@ impl UnifiedAuthenticationService for ExternalAuthentication {
     }
 
     fn get_authentication_request_data(
-        payment_method_data: domain::PaymentMethodData,
-        billing_address: hyperswitch_domain_models::address::Address,
-        shipping_address: Option<hyperswitch_domain_models::address::Address>,
         browser_details: Option<BrowserInformation>,
         amount: Option<common_utils::types::MinorUnit>,
         currency: Option<common_enums::Currency>,
@@ -387,12 +389,8 @@ impl UnifiedAuthenticationService for ExternalAuthentication {
         threeds_method_comp_ind: payments::ThreeDsCompletionIndicator,
         email: Option<common_utils::pii::Email>,
         webhook_url: String,
-        three_ds_requestor_url: String,
     ) -> RouterResult<UasAuthenticationRequestData> {
         Ok(UasAuthenticationRequestData {
-            payment_method_data,
-            billing_address,
-            shipping_address,
             browser_details,
             transaction_details: TransactionDetails {
                 amount,
@@ -420,7 +418,6 @@ impl UnifiedAuthenticationService for ExternalAuthentication {
             sdk_information,
             email,
             threeds_method_comp_ind,
-            three_ds_requestor_url,
             webhook_url,
         })
     }
@@ -429,10 +426,7 @@ impl UnifiedAuthenticationService for ExternalAuthentication {
     async fn authentication(
         state: &SessionState,
         business_profile: &domain::Profile,
-        payment_method: common_enums::PaymentMethod,
+        payment_method: &common_enums::PaymentMethod,
-        payment_method_data: domain::PaymentMethodData,
-        billing_address: hyperswitch_domain_models::address::Address,
-        shipping_address: Option<hyperswitch_domain_models::address::Address>,
         browser_details: Option<BrowserInformation>,
         amount: Option<common_utils::types::MinorUnit>,
         currency: Option<common_enums::Currency>,
@@ -444,16 +438,12 @@ impl UnifiedAuthenticationService for ExternalAuthentication {
         threeds_method_comp_ind: payments::ThreeDsCompletionIndicator,
         email: Option<common_utils::pii::Email>,
         webhook_url: String,
-        three_ds_requestor_url: String,
         merchant_connector_account: &MerchantConnectorAccountType,
         connector_name: &str,
         payment_id: Option<common_utils::id_type::PaymentId>,
     ) -> RouterResult<UasAuthenticationRouterData> {
         let authentication_data =
             <Self as UnifiedAuthenticationService>::get_authentication_request_data(
-                payment_method_data,
-                billing_address,
-                shipping_address,
                 browser_details,
                 amount,
                 currency,
@@ -465,12 +455,11 @@ impl UnifiedAuthenticationService for ExternalAuthentication {
                 threeds_method_comp_ind,
                 email,
                 webhook_url,
-                three_ds_requestor_url,
             )?;
         let auth_router_data: UasAuthenticationRouterData = utils::construct_uas_router_data(
             state,
             connector_name.to_string(),
-            payment_method,
+            payment_method.to_owned(),
             business_profile.merchant_id.clone(),
             None,
             authentication_data,
@@ -829,7 +818,7 @@ impl
             .attach_printable("Failed to parse three_ds_method_url")?;
 
         let three_ds_data = Some(api_models::authentication::ThreeDsData {
-            threeds_server_transaction_id: authentication.threeds_server_transaction_id,
+            three_ds_server_transaction_id: authentication.threeds_server_transaction_id,
             maximum_supported_3ds_version: authentication.maximum_supported_version,
             connector_authentication_id: authentication.connector_authentication_id,
             three_ds_method_data: authentication.three_ds_method_data,
@@ -873,17 +862,15 @@ pub async fn authentication_eligibility_core(
             id: authentication_id.get_string_repr().to_owned(),
         })?;
 
-    if let Some(client_secret) = &req.client_secret {
+    req.client_secret
-        let is_client_secret_expired =
+        .clone()
+        .map(|client_secret| {
             utils::authenticate_authentication_client_secret_and_check_expiry(
                 client_secret.peek(),
                 &authentication,
-            )?;
+            )
-
+        })
-        if is_client_secret_expired {
+        .transpose()?;
-            return Err(ApiErrorResponse::ClientSecretExpired.into());
-        };
-    };
     let key_manager_state = (&state).into();
 
     let profile_id = core_utils::get_profile_id_from_business_details(
@@ -1105,3 +1092,226 @@ pub async fn authentication_eligibility_core(
         response,
     ))
 }
+
+#[cfg(feature = "v1")]
+pub async fn authentication_authenticate_core(
+    state: SessionState,
+    merchant_context: domain::MerchantContext,
+    req: AuthenticationAuthenticateRequest,
+    auth_flow: AuthFlow,
+) -> RouterResponse<AuthenticationAuthenticateResponse> {
+    let authentication_id = req.authentication_id.clone();
+    let merchant_account = merchant_context.get_merchant_account();
+    let merchant_id = merchant_account.get_id();
+    let db = &*state.store;
+    let authentication = db
+        .find_authentication_by_merchant_id_authentication_id(merchant_id, &authentication_id)
+        .await
+        .to_not_found_response(ApiErrorResponse::AuthenticationNotFound {
+            id: authentication_id.get_string_repr().to_owned(),
+        })?;
+
+    req.client_secret
+        .map(|client_secret| {
+            utils::authenticate_authentication_client_secret_and_check_expiry(
+                client_secret.peek(),
+                &authentication,
+            )
+        })
+        .transpose()?;
+
+    let key_manager_state = (&state).into();
+
+    let profile_id = authentication.profile_id.clone();
+
+    let business_profile = db
+        .find_business_profile_by_profile_id(
+            &key_manager_state,
+            merchant_context.get_merchant_key_store(),
+            &profile_id,
+        )
+        .await
+        .to_not_found_response(ApiErrorResponse::ProfileNotFound {
+            id: profile_id.get_string_repr().to_owned(),
+        })?;
+
+    let email_encrypted = authentication
+        .email
+        .clone()
+        .async_lift(|inner| async {
+            domain::types::crypto_operation(
+                &key_manager_state,
+                common_utils::type_name!(Authentication),
+                domain::types::CryptoOperation::DecryptOptional(inner),
+                common_utils::types::keymanager::Identifier::Merchant(
+                    merchant_context
+                        .get_merchant_key_store()
+                        .merchant_id
+                        .clone(),
+                ),
+                merchant_context.get_merchant_key_store().key.peek(),
+            )
+            .await
+            .and_then(|val| val.try_into_optionaloperation())
+        })
+        .await
+        .change_context(ApiErrorResponse::InternalServerError)
+        .attach_printable("Unable to decrypt email from authentication table")?;
+
+    let browser_info = authentication
+        .browser_info
+        .clone()
+        .map(|browser_info| browser_info.parse_value::<BrowserInformation>("BrowserInformation"))
+        .transpose()
+        .change_context(ApiErrorResponse::InternalServerError)
+        .attach_printable("Unable to parse browser information from authentication table")?;
+
+    let (authentication_connector, three_ds_connector_account) =
+        auth_utils::get_authentication_connector_data(
+            &state,
+            merchant_context.get_merchant_key_store(),
+            &business_profile,
+            authentication.authentication_connector.clone(),
+        )
+        .await?;
+
+    let authentication_details = business_profile
+        .authentication_connector_details
+        .clone()
+        .ok_or(ApiErrorResponse::InternalServerError)
+        .attach_printable("authentication_connector_details not configured by the merchant")?;
+
+    let connector_name_string = authentication_connector.to_string();
+    let mca_id_option = three_ds_connector_account.get_mca_id();
+    let merchant_connector_account_id_or_connector_name = mca_id_option
+        .as_ref()
+        .map(|mca_id| mca_id.get_string_repr())
+        .unwrap_or(&connector_name_string);
+
+    let webhook_url = helpers::create_webhook_url(
+        &state.base_url,
+        merchant_id,
+        merchant_connector_account_id_or_connector_name,
+    );
+
+    let auth_response = <ExternalAuthentication as UnifiedAuthenticationService>::authentication(
+        &state,
+        &business_profile,
+        &common_enums::PaymentMethod::Card,
+        browser_info,
+        authentication.amount,
+        authentication.currency,
+        MessageCategory::Payment,
+        req.device_channel,
+        authentication.clone(),
+        None,
+        req.sdk_information,
+        req.threeds_method_comp_ind,
+        email_encrypted.map(common_utils::pii::Email::from),
+        webhook_url,
+        &three_ds_connector_account,
+        &authentication_connector.to_string(),
+        None,
+    )
+    .await?;
+
+    let authentication = utils::external_authentication_update_trackers(
+        &state,
+        auth_response,
+        authentication.clone(),
+        None,
+        merchant_context.get_merchant_key_store(),
+        None,
+        None,
+        None,
+        None,
+    )
+    .await?;
+
+    let (authentication_value, eci) = match auth_flow {
+        AuthFlow::Client => (None, None),
+        AuthFlow::Merchant => {
+            if let Some(common_enums::TransactionStatus::Success) = authentication.trans_status {
+                let tokenised_data = crate::core::payment_methods::vault::get_tokenized_data(
+                    &state,
+                    authentication_id.get_string_repr(),
+                    false,
+                    merchant_context.get_merchant_key_store().key.get_inner(),
+                )
+                .await
+                .inspect_err(|err| router_env::logger::error!(tokenized_data_result=?err))
+                .attach_printable("cavv not present after authentication status is success")?;
+                (
+                    Some(masking::Secret::new(tokenised_data.value1)),
+                    authentication.eci.clone(),
+                )
+            } else {
+                (None, None)
+            }
+        }
+    };
+
+    let response = AuthenticationAuthenticateResponse::foreign_try_from((
+        &authentication,
+        authentication_value,
+        eci,
+        authentication_details,
+    ))?;
+
+    Ok(hyperswitch_domain_models::api::ApplicationResponse::Json(
+        response,
+    ))
+}
+
+impl
+    ForeignTryFrom<(
+        &Authentication,
+        Option<masking::Secret<String>>,
+        Option<String>,
+        diesel_models::business_profile::AuthenticationConnectorDetails,
+    )> for AuthenticationAuthenticateResponse
+{
+    type Error = error_stack::Report<ApiErrorResponse>;
+
+    fn foreign_try_from(
+        (authentication, authentication_value, eci, authentication_details): (
+            &Authentication,
+            Option<masking::Secret<String>>,
+            Option<String>,
+            diesel_models::business_profile::AuthenticationConnectorDetails,
+        ),
+    ) -> Result<Self, Self::Error> {
+        let authentication_connector = authentication
+            .authentication_connector
+            .as_ref()
+            .map(|connector| common_enums::AuthenticationConnectors::from_str(connector))
+            .transpose()
+            .change_context(ApiErrorResponse::InternalServerError)
+            .attach_printable("Incorrect authentication connector stored in table")?;
+        let acs_url = authentication
+            .acs_url
+            .clone()
+            .map(|acs_url| url::Url::parse(&acs_url))
+            .transpose()
+            .change_context(ApiErrorResponse::InternalServerError)
+            .attach_printable("Unable to parse the url with param")?;
+        Ok(Self {
+            transaction_status: authentication.trans_status.clone(),
+            acs_url,
+            challenge_request: authentication.challenge_request.clone(),
+            acs_reference_number: authentication.acs_reference_number.clone(),
+            acs_trans_id: authentication.acs_trans_id.clone(),
+            three_ds_server_transaction_id: authentication.threeds_server_transaction_id.clone(),
+            acs_signed_content: authentication.acs_signed_content.clone(),
+            three_ds_requestor_url: authentication_details.three_ds_requestor_url.clone(),
+            three_ds_requestor_app_url: authentication_details.three_ds_requestor_app_url.clone(),
+            error_code: None,
+            error_message: authentication.error_message.clone(),
+            authentication_value,
+            status: authentication.authentication_status,
+            authentication_connector,
+            eci,
+            authentication_id: authentication.authentication_id.clone(),
+        })
+    }
+}

crates/router/src/core/unified_authentication_service/types.rs

@@ -78,9 +78,6 @@ pub trait UnifiedAuthenticationService {
 
     #[allow(clippy::too_many_arguments)]
     fn get_authentication_request_data(
-        _payment_method_data: domain::PaymentMethodData,
-        _billing_address: hyperswitch_domain_models::address::Address,
-        _shipping_address: Option<hyperswitch_domain_models::address::Address>,
         _browser_details: Option<BrowserInformation>,
         _amount: Option<common_utils::types::MinorUnit>,
         _currency: Option<common_enums::Currency>,
@@ -92,7 +89,6 @@ pub trait UnifiedAuthenticationService {
         _threeds_method_comp_ind: payments::ThreeDsCompletionIndicator,
         _email: Option<common_utils::pii::Email>,
         _webhook_url: String,
-        _three_ds_requestor_url: String,
     ) -> RouterResult<UasAuthenticationRequestData> {
         Err(errors::ApiErrorResponse::NotImplemented {
             message: NotImplementedMessage::Reason(
@@ -106,10 +102,7 @@ pub trait UnifiedAuthenticationService {
     async fn authentication(
         _state: &SessionState,
         _business_profile: &domain::Profile,
-        _payment_method: common_enums::PaymentMethod,
+        _payment_method: &common_enums::PaymentMethod,
-        _payment_method_data: domain::PaymentMethodData,
-        _billing_address: hyperswitch_domain_models::address::Address,
-        _shipping_address: Option<hyperswitch_domain_models::address::Address>,
         _browser_details: Option<BrowserInformation>,
         _amount: Option<common_utils::types::MinorUnit>,
         _currency: Option<common_enums::Currency>,
@@ -121,7 +114,6 @@ pub trait UnifiedAuthenticationService {
         _threeds_method_comp_ind: payments::ThreeDsCompletionIndicator,
         _email: Option<common_utils::pii::Email>,
         _webhook_url: String,
-        _three_ds_requestor_url: String,
         _merchant_connector_account: &MerchantConnectorAccountType,
         _connector_name: &str,
         _payment_id: Option<common_utils::id_type::PaymentId>,

crates/router/src/core/unified_authentication_service/utils.rs

@@ -246,12 +246,10 @@ pub async fn external_authentication_update_trackers<F: Clone, Req>(
                     .ok_or(ApiErrorResponse::InternalServerError)
                     .attach_printable("missing trans_status in PostAuthentication Details")?;
 
-                let authentication_value = authentication_details
+                authentication_details
                     .dynamic_data_details
                     .and_then(|details| details.dynamic_data_value)
-                    .map(ExposeInterface::expose);
+                    .map(ExposeInterface::expose)
-
-                authentication_value
                     .async_map(|auth_val| {
                         crate::core::payment_methods::vault::create_tokenize(
                             state,
@@ -324,7 +322,7 @@ pub fn get_checkout_event_status_and_reason(
 pub fn authenticate_authentication_client_secret_and_check_expiry(
     req_client_secret: &String,
     authentication: &diesel_models::authentication::Authentication,
-) -> RouterResult<bool> {
+) -> RouterResult<()> {
     let stored_client_secret = authentication
         .authentication_client_secret
         .clone()
@@ -342,8 +340,10 @@ pub fn authenticate_authentication_client_secret_and_check_expiry(
             .created_at
             .saturating_add(time::Duration::seconds(DEFAULT_SESSION_EXPIRY));
 
-        let expired = current_timestamp > session_expiry;
+        if current_timestamp > session_expiry {
-
+            Err(report!(ApiErrorResponse::ClientSecretExpired))
-        Ok(expired)
+        } else {
+            Ok(())
+        }
     }
 }

crates/router/src/routes/app.rs

@@ -2792,6 +2792,10 @@ impl Authentication {
                 web::resource("/{authentication_id}/eligibility")
                     .route(web::post().to(authentication::authentication_eligibility)),
             )
+            .service(
+                web::resource("/{authentication_id}/authenticate")
+                    .route(web::post().to(authentication::authentication_authenticate)),
+            )
     }
 }
 

crates/router/src/routes/authentication.rs

@@ -1,7 +1,7 @@
 use actix_web::{web, HttpRequest, Responder};
-use api_models::authentication::AuthenticationCreateRequest;
 #[cfg(feature = "v1")]
 use api_models::authentication::AuthenticationEligibilityRequest;
+use api_models::authentication::{AuthenticationAuthenticateRequest, AuthenticationCreateRequest};
 use router_env::{instrument, tracing, Flow};
 
 use crate::{
@@ -81,3 +81,47 @@ pub async fn authentication_eligibility(
     ))
     .await
 }
+
+#[cfg(feature = "v1")]
+#[instrument(skip_all, fields(flow = ?Flow::AuthenticationAuthenticate))]
+pub async fn authentication_authenticate(
+    state: web::Data<app::AppState>,
+    req: HttpRequest,
+    json_payload: web::Json<AuthenticationAuthenticateRequest>,
+    path: web::Path<common_utils::id_type::AuthenticationId>,
+) -> impl Responder {
+    let flow = Flow::AuthenticationAuthenticate;
+    let authentication_id = path.into_inner();
+    let api_auth = auth::ApiKeyAuth::default();
+    let payload = AuthenticationAuthenticateRequest {
+        authentication_id,
+        ..json_payload.into_inner()
+    };
+
+    let (auth, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) {
+            Ok((auth, auth_flow)) => (auth, auth_flow),
+            Err(e) => return api::log_and_return_error_response(e),
+        };
+
+    Box::pin(api::server_wrap(
+        flow,
+        state,
+        &req,
+        payload,
+        |state, auth: auth::AuthenticationData, req, _| {
+            let merchant_context = domain::MerchantContext::NormalMerchant(Box::new(
+                domain::Context(auth.merchant_account, auth.key_store),
+            ));
+            unified_authentication_service::authentication_authenticate_core(
+                state,
+                merchant_context,
+                req,
+                auth_flow,
+            )
+        },
+        &*auth,
+        api_locking::LockAction::NotApplicable,
+    ))
+    .await
+}

crates/router/src/routes/lock_utils.rs

@@ -355,7 +355,9 @@ impl From<Flow> for ApiIdentifier {
 
             Flow::RevenueRecoveryRetrieve => Self::ProcessTracker,
 
-            Flow::AuthenticationCreate | Flow::AuthenticationEligibility => Self::Authentication,
+            Flow::AuthenticationCreate
+            | Flow::AuthenticationEligibility
+            | Flow::AuthenticationAuthenticate => Self::Authentication,
             Flow::Proxy => Self::Proxy,
 
             Flow::ProfileAcquirerCreate | Flow::ProfileAcquirerUpdate => Self::ProfileAcquirer,

crates/router/src/services/authentication.rs

@@ -4227,6 +4227,14 @@ impl ClientSecretFetch for api_models::authentication::AuthenticationEligibility
     }
 }
 
+impl ClientSecretFetch for api_models::authentication::AuthenticationAuthenticateRequest {
+    fn get_client_secret(&self) -> Option<&String> {
+        self.client_secret
+            .as_ref()
+            .map(|client_secret| client_secret.peek())
+    }
+}
+
 pub fn get_auth_type_and_flow<A: SessionStateInfo + Sync + Send>(
     headers: &HeaderMap,
     api_auth: ApiKeyAuth,

crates/router_env/src/logger/types.rs

@@ -604,6 +604,8 @@ pub enum Flow {
     AuthenticationCreate,
     /// Authentication Eligibility flow
     AuthenticationEligibility,
+    /// Authentication Authenticate flow
+    AuthenticationAuthenticate,
     ///Proxy Flow
     Proxy,
     /// Profile Acquirer Create flow