That's bad.
OAuth supports several types of flows. If I'm not mistaken (I've learned a bit more about OAuth since yesterday) you're describing the Authorization Code Flow -- as documented in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):
That RFC defines many other types of flows that do not require sharing the access keys with a third party, such as the Client Credentials Flow, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):
The only reason you'd want to use the Authorization Code Flow is if the third party needs your access token for some reason, or if you want to hide the access key from the user agent.
The problem here is that Stripe is using the wrong flow (the third party doesn't need the access token, as they claim they never save it anyway). And if keyCloak only supports that one flow, that's would be a problem too (in this case).
Stripe Connect does not support Client Credentials flow.
Can you please tell me what is the name of the "flow" that Stripe Connect is using here?
I figured out the root technical cause. It's because Stripe doesn't allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that's hard-coded into the app.
For security purposes, Stripe redirects a user only to a predefined URI.
That's why Stripe forces you to expose your access tokens to the developer's servers.
I'd still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer's servers.
Itās called the Client Credentials flow (RFC 6749, Section 4.4).
Finally someone directs me to the actual RFC. Except that section is titled "Client Credentials Grant"
Why do I see this sometimes called a "Grant" and sometimes called a "Flow"?
What's the definition and difference of each?
Why OAuth MUST share access token with 3rd party?!?
Why does Stripe require OAuth tokens to pass through a third party server?
Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?
I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.
Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?
I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API
Why OAuth MUST share access token with 3rd party?!?
Why does Stripe require OAuth tokens to pass through a third party server?
Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?
I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.
Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?
I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API
Intro Guide to Lemmy
I wrote a guide to help users with their migration to Lemmy
This guide will help new lemmy users find and subscribe-to (remote) lemmy subreddits communities
Intro to Lemmy (Video Guide)
Before reddit goes dark on Monday, I would like to add a short video to the join-lemmy.org [http://join-lemmy.org] site that shows new users how to create a lemmy account and subscribe to (remote) communities. The video should be about 2-minutes long (shorter is better) with a screen recording and v...
Before reddit goes dark on Monday, I would like to add a short video to the join-lemmy.org site that shows new users how to create a lemmy account and subscribe to (remote) communities.
The video should be about 2-minutes long (shorter is better) with a screen recording and voiceover narration. If you do this, you'll get a lot of traffic to your youtube/peertube account ;)
Here's the outline of the video requested:
join-lemmy.org in your web browser and click the big Join a Server button. Join from a random server from the "Recommended" list of instances. Tell the user to just pick one at r Intro to Lemmy (Video Guide)
Before reddit goes dark on Monday, I would like to add a short video to the join-lemmy.org [http://join-lemmy.org] site that shows new users how to create a lemmy account and subscribe to (remote) communities. The video should be about 2-minutes long (shorter is better) with a screen recording and v...
Before reddit goes dark on Monday, I would like to add a short video to the join-lemmy.org site that shows new users how to create a lemmy account and subscribe to (remote) communities.
The video should be about 2-minutes long (shorter is better) with a screen recording and voiceover narration. If you do this, you'll get a lot of traffic to your youtube/peertube account ;)
Here's the outline of the video requested:
join-lemmy.org in your web browser and click the big Join a Server button. Join from a random server from the "Recommended" list of instances. Tell the user to just pick one at r It doesn't say porn, it says adult. The legend describes how it's determined
Adult "Yes" means there's no profanity filters or blocking of NSFW content. "No" means that there are profanity filters or NSFW content is not allowed.
how do you do that? Is there a guide anywhere for how to setup mastodon seeing lemmy or lemmy seeing mastodon?
I think at the top, just above the "Recommended"
<h2>
add:undefined
For a more detailed comparison of Lemmy instances, see: <ul> <li><a href="https://github.com/maltfield/awesome-lemmy-instances">Awesome-Lemmy-Instances on GitHub</a></li> <li><a href="https://the-federation.info/platform/73">the-federation.info Lemmy Instances Page</a></li> <li><a href="https://lemmymap.feddit.de/">Feddit's Lemmymap</a></li> </ul> After you create an account, you can find communites across all instances using <a href="https://browse.feddit.de/">Feddit's Lemmy Community Browser</a> <h2>Recommended</h2> ...
oh shit I wish I knew that existed before XD
I see TypeScript and get scared. Personally, I do think that the join-lemmy.org/instances page should link to:
Can anyone with TypeScript experience make this PR for us? Here's the relevant file:
Comparison of Lemmy Instances
Comparison of different Lemmy Instances. Contribute to maltfield/awesome-lemmy-instances development by creating an account on GitHub.
I created a repo on GitHub that has a table comparing all the known lemmy instances
When I joined lemmy, I had to join a few different instances before I realized that:
allowlist so that you couldn't subscribe/participate with communities on (most) other instances I couldn't find an easy way to see how each instance was configured, so I used lemmy-stats-crawler and GitHub actions to discover all the Lemmy Instances, query their API, and dump the information into a data table for quick at-a-glance comparison.
I hope this helps others with a smooth migration to lemmy. Enjoy :)
Hi Lemmy!
I make BusKill laptop kill cords that make your computer lock, shutdown, or self-destruct if the device is physically separated from you.
This protects your (encrypted) data from theft, which can be useful for digital nomads and cryptotraders working in cafes/coworking spaces. But our target audience is journalists, activists, and human rights workers in oppressive regimes.
Both the hardware and the software are open-source (CC-BY-SA, GPLv3). We manufacture the hardware with injection molding, but if you have a 3D-printer, then you can take a stab at our 3D-printable prototype.
...And apparently I'm doing (minor) contributions to lemmy these days too
3D-Printable BusKill (USB Dead Man Switch) Prototype
Update on our progress on the 3D-printable BusKill prototype, a DIY USB kill cord to protect your laptop's data from thieves.
This article is about a new 3d-printable prototype version of the BusKill cable.
The BusKill cable is a laptop kill cord. If you're still struggling to understand what is a BusKill cable and why you'd need a laptop kill cord, there's a 2-minute explainer video that makes this clear:
Enjoy and happy printing :)