Does this plugin use OAuth?
-
Does this plugin use OAuth to connect to Stripe?
I’m a bit concerned that this plugin might use OAuth to connect to Stripe. If poorly implemented, OAuth could be much less secure than using Restricted API Keys.
If you are using OAuth, then:
- Where are the access tokens, refresh tokens, and any other applicable tokens being stored?
- Is there any data that is stored on any server other than servers owned by me and servers owned by Stripe?
- Is there any data that is passed-through (not stored, but in-transit) any servers other than servers owned by me and servers owned by Stripe?
If use of this plugin might involve any data that is stored or passed in-transit through any third party servers (other than my wordpress server and Stripe’s servers), then I need you to
- Enumerate all of this type of data
- Enumerate all of the third party servers
-
Does this plugin pass any of the OAuth tokens through any third party servers?
There are no 3rd party servers where data is stored. The only servers
that this plugin communicates with are Stripe’s servers via the Stripe
API.I know you said that the tokens are *stored* in the wordpress options table. This is great.
But, unfortunately, I recently learned that another woocommerce payment gateway for Stripe (Stripe Payment Plugin for WooCommerce by WebToffee) uses the plugin developer’s server (verify-stripe.webtoffee.com) to refresh the OAuth tokens, and then send the new refresh/access tokens back to the wordpress server.
Even though the tokens are stored *only* on my wordpress server (they are *not* stored on WebToffee’s servers), they are still *seen* by a third party (besides [1] my server and [2] Stripe). This is obviously a security risk, and I don’t know how common this sort of implementation is.
So I need you to be clear and address not just where the tokens are stored, but also where the tokens *touch*.
Does this plugin implement OAuth by having *any* OAuth tokens transit through *any* server other than [a] the wordpress server where this plugin is installed and [b] Stripe’s servers?
You had mentioned in previous support requests that the use of oAuth was a no go for you and your organization.
It’s not a total “no-go” (we’ve had to change our requirements because I can’t find any reputable plugins that support Restricted API Keys), but it does add additional work for us to audit the implementation. And that’s what I’m doing now.
Can you please answer the question? Not just for my benefit, but for other users as well. It would be good to have a clear confirmation from the plugin author that your plugin does not pass any oauth transactions through a third party server.
Does this plugin implement OAuth by having *any* OAuth tokens transit through *any* server other than [a] the wordpress server where this plugin is installed and [b] Stripe’s servers?
There shouldn’t be any need to “refresh” any tokens because they don’t expire if the oAuth process is done correctly.
Best-practice of OAuth is to use (one-time-use) Refresh Keys (and short-lived Access Tokens). It’s not a requirement for our org, but it would be good to have this documented.
Can you confirm that your plugin’s OAuth Access Token for Stripe has no expiration?
Thanks for the fast response 🙂
After credential validation, Stripe redirects the browser to https://stripeconnect.paymentplugins.com.
It is here that the single use token from Stripe is exchanged for a
secret key and publishable key. These keys are not stored anywhere; they
are created and added as part of the redirect to the WordPress site. It
must be done this way and our team worked internally with Stripe’s
engineering team to develop this processYeah, so this has the same issue. Sorry for my ignorance, but I don’t see anything about OAuth that says a third party would need to be involved like this. Why couldn’t you replace the
stripeconnect.paymentplugins.compart withmy-wordpress-site.com/wp-content/woo-stripe-payment/handle-oauth.php?It seems unnecessary to the OAuth spec and an additional security risk for my non-expiring Access Tokens to pass through your infrastructure 🙁
I know you say Stripe forces you to do this, so it’s not your fault. It’s theirs. Can you perhaps direct me to the Stripe documentation that says why the OAuth access tokens must pass through a third party?
Thanks. That has been extremely elucidating.
So my understanding is that Stripe is abusing the wrong OAuth flow for this use-case 🙁
If they implemented the “Client Credentials Flow”, then there would be no need to have a third party with a “predefined uri” of any kind.
I do plan to reach out to Stripe, but first I need to understand the situation a bit better. Thank you for your help so-far.
So as far as I can tell, the issue here is that Stripe is using the wrong OAuth Flow.
Currently it appears that Stripe is using an “Authorization Code” Grant.
This is documented in Stripe’s OAuth reference documentation here:
curl https://connect.stripe.com/oauth/token \
-u sk_test_MgvkTWK1jRG3olSRx9B7Mmxo: \
-d “code”=”ac_123456789” \
-d “grant_type”=”authorization_code”Authorization Code Grants are defined in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):
This isn’t the appropriate flow for this plugin. And, as documented above, it exposes your users (and you too!) to unnecessary risk.
The appropriate OAuth Flow that you *should* be using here uses the “Client Credentials” Grant, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):
The Client Credentials Flow is Machine-to-Machine. There is no need to have any redirect_uri of any kind (static or dynamic), and there is no need to include a third party’s servers in the OAuth flow at all.
Can you think of any reason why Stripe opted for the less-appropriate Authorization Code Grant here — which exposes you and your users to unnecessary security risk?
Edit: If you really want to include the User Agent, another OAuth flow would be the Implicit Flow — which also does not require leaking the access token to an intermediary. This is documented in RFC 6749 Section 4.2 (Implicit Grant):
The topic ‘Does this plugin use OAuth?’ is closed to new replies.
