Callbacks

During a purchase with an embedded checkout solution like Klarna Checkout, there are a number of http requests back and forth to keep WooCommerce and Klarna in sync. It’s important that these requests can be executed without being blocked, otherwise the customer will not be able to create an order in WooCommerce.

Requirements for getting callbacks to work

The website needs to have a publicly queryable URL (use a service like ngrok.com if you want to use KCO in a local development environment).
The website needs to have https configured correctly (not only in checkout, but for the entire website).
Pretty permalinks must be enabled in your WordPress installation.
Multilingual plugins must not alter the URL structure for WooCommerce API Callbacks (e.g. change http://yoursite.com/wc-api/CALLBACK/ to http://yoursite.com/en/wc-api/CALLBACK/).

Be aware of firewalls and security plugins

Even if you fulfill all of the requirements mentioned above, you might still experience issues. If you have a firewall solution or a security plugin installed those could block access to the WC-API endpoints and by that making the callbacks to fail. If you are using Cloudflare CDN and their WAF Firewall (or other WAF/CDN too like Sucuri or similar server hosting firewalls) you need to create a specific Page Rule to whitelist the API-calls that is needed for the Klarna plugin to work properly.

We recommend (if possible) to whitelist:

https://domain.topdomain/wc-api/*

But if you want to specify what URLs to whitelist you can use these:

https://domain.topdomain/wc-api/KCO_WC_Push/*

https://domain.topdomain/wc-api/KCO_WC_Notification/*

https://domain.topdomain/wc-api/KCO_WC_Shipping_Option_Update/*

https://domain.topdomain/wc-api/KCO_WC_Validation/*

ModSecurity firewall blocking push notifications from Klarna

Unacknowledged orders in the Klarna Merchant Portal showing 403 errors from the Klarna Order Management API when looking in the Klarna Portal logs.

The order in WooCommerce are in Pending Payment status and have the note payment has not been finalized with Klarna.

This is triggered by a rule in the web hosting servers WAF (Web Application Firewall) called ModSecurity as Klarna does not send a regular User-agent (they send APIs-Klarna) when calling this request URL, which triggers the rule 211180 Comodo WAF Litespeed.

COMODO WAF: Session Fixation: SessionID Parameter Name with No Referer

request_path:

https://yourdomain.com/wc-api/KCO_WC_Push/?kco-action=push&kco_wc_order_id=THE-ORDER-ID&kco_session_id=THE-SESSION-ID

Important: If the Klarna push notification callback has been used, it indicates that the NORMAL checkout flow have had some problems. This callback is only there as a backup function if something goes wrong.
Investigate why the order has deviated from the regular checkout flow.

Solution:

Disable the rule 211180 temporary and then get in touch with Klarnas Merchant support so they are aware of this issue.

Please note that this is one solution to a problem reported by a merchant to our support team. There may be other similar problems and/or solutions as well.

Retrieve more info in Klarna Merchant Portal

To troubleshoot this you have the possibility to look closer in the logs that are available in your Klarna Merchant Portal. Here is a screenshot displaying the response from a validation callback, where the request is blocked (with a 503 HTTP response) by the security plugin Wordfence:

Another common response header if the request is being blocked by a security/firewall application is 403 (forbidden). See a list of http status codes here.