1·
3 months agoStripe Connect does not support Client Credentials flow.
Can you please tell me what is the name of the “flow” that Stripe Connect is using here?
- 2 Posts
- 4 Comments
Joined 2 years ago
Cake day: June 6th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
I figured out the root technical cause. It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.
For security purposes, Stripe redirects a user only to a predefined URI.
That’s why Stripe forces you to expose your access tokens to the developer’s servers.
I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer’s servers.
It’s called the Client Credentials flow (RFC 6749, Section 4.4).
Finally someone directs me to the actual RFC. Except that section is titled “Client Credentials Grant”
Why do I see this sometimes called a “Grant” and sometimes called a “Flow”?
What’s the definition and difference of each?
That’s bad.
OAuth supports several types of flows. If I’m not mistaken (I’ve learned a bit more about OAuth since yesterday) you’re describing the Authorization Code Flow – as documented in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):
That RFC defines many other types of flows that do not require sharing the access keys with a third party, such as the Client Credentials Flow, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):
The only reason you’d want to use the Authorization Code Flow is if the third party needs your access token for some reason, or if you want to hide the access key from the user agent.
The problem here is that Stripe is using the wrong flow (the third party doesn’t need the access token, as they claim they never save it anyway). And if keyCloak only supports that one flow, that’s would be a problem too (in this case).