Comment on Why OAuth MUST share access token with 3rd party?!?
occultist8128@infosec.pub 5 weeks ago
for anlytics? maybe?
Comment on Why OAuth MUST share access token with 3rd party?!?
occultist8128@infosec.pub 5 weeks ago
for anlytics? maybe?
maltfield@lemmy.ca 5 weeks ago
I figured it out. It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.
That’s why Stripe forces you to expose your access tokens to the developer’s servers.
I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to their bearer tokens to the developer’s servers.