maltfield
@maltfield@lemmy.ca
This is a remote user, information on this page may be incomplete. View at Source ↗
- Comment on Why OAuth MUST share access token with 3rd party?!? 1 week ago:
I figured it out. It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.
For security purposes, Stripe redirects a user only to a predefined URI.
That’s why Stripe forces you to expose your access tokens to the developer’s servers.
I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to their bearer tokens to the developer’s servers.
- Submitted 1 week ago to cybersecurity@infosec.pub | 2 comments