Does this plugin pass any of the OAuth tokens through any third party servers?
In addition to knowing where the tokens are *stored* by this plugin, I also need to know where they transit.
Unfortunately, I recently learned that another woocommerce payment gateway for Stripe (Stripe Payment Plugin for WooCommerce by WebToffee) uses the plugin developer’s server (verify-stripe.webtoffee.com) to refresh the OAuth tokens, and then send the new refresh/access tokens back to the wordpress server.
Even though the tokens are stored *only* on my wordpress server (they are *not* stored on WebToffee’s servers), they are still *seen* by a third party (besides [1] my server and [2] Stripe). This is obviously a security risk, and I don’t know how common this sort of implementation is.
So I need you to be clear and address not just where the tokens are stored, but also where the tokens *touch*.
Does this plugin implement OAuth by having *any* OAuth tokens transit through *any* server other than [a] the wordpress server where this plugin is installed and [b] Stripe’s servers?
Plugin Support
Aamir
(@aamiribsf)
Hi @maltfield,
Thank you for your detailed inquiry. I understand your concerns, and I want to assure you that I’ll need to discuss these technical aspects with our development team to provide you with accurate and comprehensive answers.
I’ll gather all the relevant information and I’ll follow up with you as soon as possible with the detailed response.
I appreciate your patience and understanding in the meantime.
Best regards,
Plugin Support
Aamir
(@aamiribsf)
Hello @maltfield,
We have recieved a resposne form our dev team and here is the information as reqested:
Yes, our plugin uses OAuth to connect your WordPress site to your Stripe account. This is part of Stripe’s recommended connection flow for third-party integrations and is designed to be secure and standardized.
- Where are the access tokens, refresh tokens, and any other applicable tokens being stored?
=> The OAuth access tokens and refresh tokens are stored securely in your WordPress database on your server. They are not stored or transmitted to any external third-party server other than Stripe.
- Is there any data that is stored on any server other than servers owned by me and servers owned by Stripe?
=> No sensitive data is stored on any servers except only the tokens. Also These tokens a non-sensitive data but even those are stored as per the Strip’s guidelines.
- Is there any data that is passed through (not stored, but in transit) any servers other than servers owned by me and servers owned by Stripe?
=> The data in transit such as OAuth tokens, API requests/responses, payment info only flows between Your server and Stripe’s servers.
No third-party servers other than Stripe and your server are involved in storing or relaying data.
Best Regards,
> They are not stored or transmitted to any external third-party server other than Stripe.
Oof, that’s not correct.
I contacted Stripe Support and they assured me that the OAuth Access Tokens *are* shared with a third party: your servers.
With Restricted API Keys, the credentials needed to access our merchant account are only known to two parties:
1. My server
2. Stripe’s servers
When you use Stripe Connect, the OAuth bearer tokens are additionally shared with a third party, defined as the redirect_uri. And because the redirect_uri is static, it’s a domain of the developer’s. That’s the third party.
> The data in transit such as OAuth tokens, API requests/responses, payment info only flows between Your server and Stripe’s servers.
False. According to Stripe Customer Support and their documentation, your server (specified by redirect_uri) is first given the OAuth Access Token before it’s relayed to our server.
If you don’t store it, that helps. But the fact that you see it at all is already a huge security risk for your users.
Can you please submit a feature request to include the ability for users to use Restricted API Keys? This would fix the security issue of having to share OAuth Access Tokens to a third party server.
Plugin Support
Aamir
(@aamiribsf)
Hello @maltfield,
Thank you again for your thoughtful and well-informed follow-up – and you’re absolutely right in your understanding.
To clarify: yes, our Stripe for WooCommerce plugin uses Stripe Connect, which requires a static redirect_uri. In our case, this points to a secure middleware endpoint hosted by us (Checkout Plugins), as mandated by Stripe’s OAuth implementation.
Here’s how the flow works:
When you click Connect with Stripe, the request is sent from your site to our secure middleware.
Our middleware forwards the request to Stripe’s OAuth endpoint.
Once Stripe processes the authentication, the OAuth access token is returned to our middleware (as required by the redirect_uri).
The middleware then immediately and securely passes the token to your WordPress site, where it is encrypted and stored in your database.
We do not log, store, or persist the access token or any sensitive data on our servers at any point — our middleware simply acts as a relay to meet Stripe’s requirement for a static callback domain.
That said, your concern is completely valid: even if the token is never stored, the fact that it flows through a third-party server (ours) does represent a level of access that isn’t present with Restricted API Keys.
Currently, Stripe Connect does not support an alternative onboarding flow that uses Restricted API Keys for third-party integrations like ours. However, we agree this would be a more secure option, and we encourage you to share this feedback directly with Stripe Support as well. The more merchants that request support for such a flow, the more likely it is that Stripe will prioritize offering it.
We truly appreciate your detailed input on this – it helps push the ecosystem toward better security and transparency.
Hi,
Can you please state what OAuth Flow you use for Stripe Connect with this application?
After much research and back-and-forth with Stripe Support, they said admitted that some OAuth flows expose the OAuth bearer tokens with a third party (which is a security risk) and some other OAuth flows do not.
They said that merchants cannot control which OAuth flow is used, and it depends on what was implemented by the developer. Stripe support asked me to ask the developer which OAuth flow they use in their implementation of Stripe Connect.
Can you please tell us which specific OAuth flow you use for Stripe Connect in this application?
Thank you
