Stripe Connect access token expire.
1,725 views
Skip to first unread message
Sravan Mada
Sep 7, 2014, 1:08:33 AM9/7/14
to api-d...@lists.stripe.com
Hello ,
Right now I'm using StripeConnect in my IOS application, I'm successfully to collect total amount and application fee, but I would like to know What is the expire time for the access token of StripeConnect. Thanks in advance.
Matthew Arkin
Sep 7, 2014, 1:11:56 AM9/7/14
to api-d...@lists.stripe.com
Hi Sravan,
Per the docs at https://stripe.com/docs/connect/getting-started#oauth-flow : "Access tokens ... never expire but may be revoked by the user at any time."
Matt Arkin
Kollective
On Sat, Sep 6, 2014 at 10:08 PM, Sravan Mada <srava...@globalnest.com> wrote:
Hello ,Right now I'm using StripeConnect in my IOS application, I'm successfully to collect total amount and application fee, but I would like to know What is the expire time for the access token of StripeConnect. Thanks in advance.
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.
Sravan Mada
Sep 7, 2014, 11:35:06 AM9/7/14
to api-d...@lists.stripe.com
Hello Matthew,
--
Right now In my application there is a logout option so when user clicks on logout I'm clear the stripe credentials. When user click on stripe login again I'm getting access token so is it fine to implement stripe connect functionality this way. Please give us a reply
--
Thanks & Regards,
Sravan Kumar,
iOSDeveloper.
Matthew Arkin
Sep 7, 2014, 1:47:28 PM9/7/14
to api-d...@lists.stripe.com
It would depend on your use case,
If you’re only accessing the Stripe api when the user is actually on your website that approach is fine, however if you want to access their Stripe account info in the background (maybe you want to run background reports or update some internal db), then you should save it and link it to the user.
Another question is how does it affect your UX. If everytime I go to your application I have to login with my one set of credentials and then I get prompted to login with Stripe thats two logins I have to do. (This isn’t the case if you only have a Login With Stripe (like a Login With Facebook) type button).
So it really depends on your use case. It is something you can do, but do you need access to Stripe in the background and whats the user experience for logging into your application and to Stripe? That would be the deciding factor.
Matt
Harry Anderson
Sep 26, 2014, 6:17:03 AM9/26/14
to api-d...@lists.stripe.com
Matthew,
I stumbled upon this group in my search to answer this question:
"How can I destroy the Stripe oauth token, so that when a user logs out of my application, they also log out of Stripe?"
Any advice would be greatly appreciated.
Thank you kindly,
Harry
Brian Krausz
Sep 26, 2014, 10:04:11 AM9/26/14
to api-d...@lists.stripe.com, api-d...@lists.stripe.com
Hi Harry,
We do not allow you to control the logged in/logged out state of a user's dashboard: there is no way for you to log out another user, regardless of whether or not they're connected to your Connect app.
Thanks,
Brian
<signature.asc>
Brian Krausz
Sep 26, 2014, 1:09:36 PM9/26/14
to Harry Anderson, api-d...@lists.stripe.com
You bring up a very good point. Usually the use case we see for
Connect is that of "login once, use forever" where the user is
connecting a single time. I take it you're using Connect for
authentication?
Exposing the ability to log users out of Stripe would solve this
particular issue, but there may be a better solution. For example, if
users logging in via the Connect login flow (as opposed to the
dashboard) we could have a much shorter-lived session, or we could
provide a logout confirmation page you could send them to post-logout.
Let me mull it over with the team and get back to you. In the short
term if you'd like to mitigate this in your app, I'd recommend
redirecting the user to dashboard.stripe.com post-logout. That will at
least make it obvious that they're still logged into the dashboard,
though I admit it's less than ideal.
Thanks,
Brian
On Fri, Sep 26, 2014 at 7:22 AM, Harry Anderson <hrtan...@gmail.com> wrote:
> Thanks for getting back to me Brian.
>
> This seems odd though, and a liability, unless I am misunderstanding
> something...
>
> For example, say a user connects to my app through Stripe Connect's oauth
> from a public terminal... a library computer, or a hotel business center
> computer, does their business, 'logs out' of my application, then closes the
> browser and leaves. They have 'logged out' of my application and destroyed
> any session data, but at that point, there is nothing preventing a stranger
> from opening the browser and immediately being able to log right into the
> other user's Stripe account without entering any credentials.
>
> I could be missing something simple here, and if I am I apologize for taking
> up your time. Please let me know though if I am tracking correctly and how
> you would handle my situation, or if I am missing something...
>
> Sincerely,
>
>
> Harry A.
> harryanderson.me
Connect is that of "login once, use forever" where the user is
connecting a single time. I take it you're using Connect for
authentication?
Exposing the ability to log users out of Stripe would solve this
particular issue, but there may be a better solution. For example, if
users logging in via the Connect login flow (as opposed to the
dashboard) we could have a much shorter-lived session, or we could
provide a logout confirmation page you could send them to post-logout.
Let me mull it over with the team and get back to you. In the short
term if you'd like to mitigate this in your app, I'd recommend
redirecting the user to dashboard.stripe.com post-logout. That will at
least make it obvious that they're still logged into the dashboard,
though I admit it's less than ideal.
Thanks,
Brian
On Fri, Sep 26, 2014 at 7:22 AM, Harry Anderson <hrtan...@gmail.com> wrote:
> Thanks for getting back to me Brian.
>
> This seems odd though, and a liability, unless I am misunderstanding
> something...
>
> For example, say a user connects to my app through Stripe Connect's oauth
> from a public terminal... a library computer, or a hotel business center
> computer, does their business, 'logs out' of my application, then closes the
> browser and leaves. They have 'logged out' of my application and destroyed
> any session data, but at that point, there is nothing preventing a stranger
> from opening the browser and immediately being able to log right into the
> other user's Stripe account without entering any credentials.
>
> I could be missing something simple here, and if I am I apologize for taking
> up your time. Please let me know though if I am tracking correctly and how
> you would handle my situation, or if I am missing something...
>
> Sincerely,
>
>
> Harry A.
Harry Anderson
Sep 26, 2014, 4:04:03 PM9/26/14
to Brian Krausz, api-d...@lists.stripe.com
Thanks Brian. I thought it would be highly appealing to be able to run the entire authentication system through Stripe for the following reasons:
1) It's consistent; it a user logs in for the first time through stripe, why not be able to simple lot in every time through stripe.
And 2) It's secure. I know that your API is already more secure than anything that I could come up with in a few days, so why not keep my users info more secure by eliminating my own potential for error. And my users will feel safer too because they know that their info is in good hands because of the Stripe brand.
As I see it; everybody wins. An additional thing to note here regarding the 'login-once, use forever' philosophy; this will only work until the next time that the browser's data is cleared, at which point any app would have to run the Stripe oauth again no matter what. But if Stripe was handling the app's entire authentication from A to Z, the user would never be in a situation where they would have to enter their credentials twice in one sitting.
Thank you kindly for your quick response to my question. I look forward to hearing more from you about it soon, but I also wish you (and the rest if the team) a very pleasant weekend in the mean time.
Sincerely,
Harry A.
1) It's consistent; it a user logs in for the first time through stripe, why not be able to simple lot in every time through stripe.
And 2) It's secure. I know that your API is already more secure than anything that I could come up with in a few days, so why not keep my users info more secure by eliminating my own potential for error. And my users will feel safer too because they know that their info is in good hands because of the Stripe brand.
As I see it; everybody wins. An additional thing to note here regarding the 'login-once, use forever' philosophy; this will only work until the next time that the browser's data is cleared, at which point any app would have to run the Stripe oauth again no matter what. But if Stripe was handling the app's entire authentication from A to Z, the user would never be in a situation where they would have to enter their credentials twice in one sitting.
Thank you kindly for your quick response to my question. I look forward to hearing more from you about it soon, but I also wish you (and the rest if the team) a very pleasant weekend in the mean time.
Sincerely,
Harry A.
Ryan McGeary
Sep 26, 2014, 4:05:30 PM9/26/14
to api-d...@lists.stripe.com, hrtan...@gmail.com
Just to add my 2¢ here as well. I'd love if Stripe Connect's authentication behaved a bit better as a single-sign-on oauth citizen. For example, we're actually using Stripe Connect's oauth as a single-sign-on source for our customers, because our app is solely focused around Stripe. We prefer not to build our own authentication and user management interfaces and instead just use the credentials that are already assigned to the associated Stripe account. One immediate thing that we're missing is the ability to know which user on a Stripe application just authenticated the Stripe account. Right now, no matter which user on a Stripe account authenticates with Stripe Connect, we only get the stripe account id back. It would be nice to also get the actual user id back as well.
For what it's worth,
Ryan
Reply all
Reply to author
Forward
0 new messages