Stripe Connect does not support Client Credentials flow.
Can you please tell me what is the name of the “flow” that Stripe Connect is using here?
- 6 Posts
- 14 Comments
Joined 2 years ago
Cake day: June 6th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
I figured out the root technical cause. It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.
For security purposes, Stripe redirects a user only to a predefined URI.
That’s why Stripe forces you to expose your access tokens to the developer’s servers.
I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer’s servers.
It’s called the Client Credentials flow (RFC 6749, Section 4.4).
Finally someone directs me to the actual RFC. Except that section is titled “Client Credentials Grant”
Why do I see this sometimes called a “Grant” and sometimes called a “Flow”?
What’s the definition and difference of each?
It doesn’t say porn, it says adult. The legend describes how it’s determined
Adult “Yes” means there’s no profanity filters or blocking of NSFW content. “No” means that there are profanity filters or NSFW content is not allowed.
how do you do that? Is there a guide anywhere for how to setup mastodon seeing lemmy or lemmy seeing mastodon?
You mean like https://mastodon.world and https://lemmy.world? Do you have other examples?
I think at the top, just above the “Recommended” <h2> add:
For a more detailed comparison of Lemmy instances, see: <ul> <li><a href="https://github.com/maltfield/awesome-lemmy-instances">Awesome-Lemmy-Instances on GitHub</a></li> <li><a href="https://the-federation.info/platform/73">the-federation.info Lemmy Instances Page</a></li> <li><a href="https://lemmymap.feddit.de/">Feddit's Lemmymap</a></li> </ul> After you create an account, you can find communites across all instances using <a href="https://browse.feddit.de/">Feddit's Lemmy Community Browser</a> <h2>Recommended</h2> ...
oh shit I wish I knew that existed before XD
I’m literally just asking the instance’s API how many users it has:
Check the
users_active_monthfield. How your instance calculates that is a question for the lemmy devs ;D
I see TypeScript and get scared. Personally, I do think that the join-lemmy.org/instances page should link to:
- My table comparison https://github.com/maltfield/awesome-lemmy-instances
- The Lemmy Community Browser (to find communities across all instances) https://browse.feddit.de/
- The Lemmy Map https://lemmymap.feddit.de/
- The federation’s lemmy page (with another table comparing instances) https://the-federation.info/platform/73
Can anyone with TypeScript experience make this PR for us? Here’s the relevant file:
Because I had a bug. Fixing now :)
Hmm, I see
community_creation_admin_onlyis set tofalseon the API. I’ll look into this, thanks for letting me know :)Edit: should be fixed now. Please let me know if you find any other issues :)
Hi Lemmy!
I make BusKill laptop kill cords that make your computer lock, shutdown, or self-destruct if the device is physically separated from you.
This protects your (encrypted) data from theft, which can be useful for digital nomads and cryptotraders working in cafes/coworking spaces. But our target audience is journalists, activists, and human rights workers in oppressive regimes.
Both the hardware and the software are open-source (CC-BY-SA, GPLv3). We manufacture the hardware with injection molding, but if you have a 3D-printer, then you can take a stab at our 3D-printable prototype.
…And apparently I’m doing (minor) contributions to lemmy these days too
That’s bad.
OAuth supports several types of flows. If I’m not mistaken (I’ve learned a bit more about OAuth since yesterday) you’re describing the Authorization Code Flow – as documented in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):
That RFC defines many other types of flows that do not require sharing the access keys with a third party, such as the Client Credentials Flow, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):
The only reason you’d want to use the Authorization Code Flow is if the third party needs your access token for some reason, or if you want to hide the access key from the user agent.
The problem here is that Stripe is using the wrong flow (the third party doesn’t need the access token, as they claim they never save it anyway). And if keyCloak only supports that one flow, that’s would be a problem too (in this case).