Comment on Why OAuth MUST share access token with 3rd party?!?
maltfield@lemmy.ca 1 week agoI figured it out. It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.
For security purposes, Stripe redirects a user only to a predefined URI.
That’s why Stripe forces you to expose your access tokens to the developer’s servers.
I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to their bearer tokens to the developer’s servers.