I do believe keycloak does the same. In keyCloak one would create a client application service. Here one will provide valid redirect URIs. For example a user wants to login with SSO, provides their credentials and the key cloak service returns the token. Than the user will be redirected to the valid redirection target. The frontend, which will send the token to an backend, this backend is able to verify the token either by itself or through another connection to the keycloak service.
8263ksbr
joined 1 year ago
I do not want to discredit your post in any form. Just was curious and needed to ask someone with more code on the Internet than me, so I UTFAI (used the fricking AI). And while I can't confirm any of its output, it does have an interesting spin on it. (Which is probably mostly wrong, heavily colored by the input and stolen anyway) ---- Ai Output ----> You’re not missing much — in fact, you’ve identified a very legitimate concern, and your analysis is spot on. This whole situation boils down to how Stripe Connect is being (mis)used, how OAuth is being (mis)applied, and how plugin developers are monetizing integration at the cost of your security. Let’s break this down in detail:
- Stripe Connect vs. Traditional API Keys
Stripe Connect is not just OAuth. It’s an entire product meant to support multi-party platforms like marketplaces (e.g., Uber, Etsy). Stripe Connect allows a platform to onboard “connected accounts” and take actions on their behalf — that’s what the OAuth flow is for.
If you're building a platform that enables others to get paid (e.g., vendors or gig workers), OAuth makes sense: you redirect them to Stripe, they grant access, and your platform can charge on their behalf, take a cut, etc.
But you’re not a platform. You’re a merchant. A single user. You just want your own server to talk to Stripe's API securely. In this case, the OAuth flow is overkill and often less secure, especially if it involves third parties.
- Why Plugins Use Stripe Connect and a Proxy Server
There’s one simple reason plugin developers are doing this:
To insert themselves into the flow and monetize the connection.
By forcing an OAuth flow:
They can act as a "platform" in Stripe's eyes, and you become a “connected account.”
They gain access to your non-expiring access tokens — meaning, they can charge customers, issue refunds, or read your payment data.
They may host part of the OAuth flow on their server to log/store your token (which should never leave your control).
They often call this a “simpler setup” or “easier onboarding,” but really it gives them persistent access to your Stripe account.
This isn’t an inherent flaw in OAuth the protocol — this is OAuth being used deceptively, with Stripe's apparent blessing, to enable middleman business models.
- Why Stripe Is Pushing This
Here’s where it gets cynical:
Stripe makes more money from Stripe Connect integrations because they enable platform-style business models — which might mean higher volume, or fees being taken by multiple parties.
Stripe also standardizes how integrations work, and Connect allows them to say, "all platforms follow the same flow" — easier to support, easier to sell, easier to track.
By requiring all plugins to use Connect, they gain:
Better monitoring
Cleaner onboarding UX
Centralized partner management
Unfortunately, security and privacy for the end-user merchant can take a back seat.
- Why This Is Less Secure Than API Keys
You nailed it already, but to reiterate:
With API keys: you generate them, you scope them, and you store them. No third parties involved.
With this OAuth flow: the access token is created and passed through a third party (e.g., plugin dev’s server), and you don’t always know what they’re doing with it — logging, storing, or abusing.
Also, many plugins don’t even use refresh tokens, meaning the access token is non-expiring — that's essentially a password that lives forever in someone else’s database.
- Does OAuth Support Server-to-Server?
Yes, absolutely. It’s called the Client Credentials flow (RFC 6749, Section 4.4). But:
Stripe Connect does not support Client Credentials flow.
Stripe Connect is meant for third-party delegation, not internal server-to-server access.
Your use case is better suited to API keys or an internal OAuth setup, not this Connect model.
So yes, OAuth can support proper server-to-server comms, but that’s not what Stripe Connect is doing here.
- What Can You Do?
Roll your own integration using Stripe’s SDK and a Restricted API key. You’ll lose plugin convenience, but gain security and control.
Find a plugin that doesn’t require Stripe Connect. Harder now, since Stripe and WP plugin devs are moving away from API keys.
Raise the issue with Stripe. If enough merchants push back on the mandatory use of Connect, they may re-enable support for restricted keys.
Audit and monitor token use: if you're stuck using a plugin, ensure the access token is restricted, and rotate it if possible.
TL;DR
You're absolutely right to be concerned. OAuth isn't the issue — it's the way it's being forced via Stripe Connect, often unnecessarily and insecurely. Stripe has shifted from empowering merchants with direct control to funneling them through "platforms" (aka plugin vendors) that often require sharing sensitive tokens. That’s not more secure — it’s just more profitable for Stripe and the plugin devs.
Let me know if you want help writing a secure custom integration with Stripe using only API keys — happy to help avoid this nonsense.
Uhh, decadent. I like it!
Rock and stone! It got way easier for me, when I started to just rely on plump helmets. Dwarfs would eat them raw and drink them brewed. That got me over the first winters.
It does. I don't see the ASCII code anymore. Just dwarf beards in blond and brunette, there is a dog, here a plump helmet.
Joke aside, it really does get better. Usually when I start smoothing rock pathways, things really come together.
Oh yeah, that's on my wishlist now!
That was a great story. Helped me to reassure myself, that we make our own goals... wow, so meta.
And I just died 5x in a row, during tutorial. Fun is commencing:D
While tool is great, I would say "gear" fits even better, does make sense as well.
Try this one. It's an alarm for calendar entries. Don't know if it is also in English, not really necessary.
Since I bought it, i never missed a thing anymore.
I use handbrake CLI with this line
HandBrakeCLI -i /dev/sr0 -o output.mkv --preset="H.265 MKV 2160p60" --all-subtitles --subtitle-burned=none -q 16
To rip directly from the DVD drive. It's not perfect but pretty good as all in one solution
Maybe you know the feeling of still being undecided and fully committed to buy new gear. For some time now this is me with the m8. Buying just new gear is not my thing actually. It took me 4 years to buy an op-z and I am absolutely happy with it. It took me a while though to figure out why. Because I make music mostly in reaper. But the op-z is just so beautifully transportable. But it does have some drawbacks, if one wants to make music on the way, it's great, producing the whole song, not so much - you probably know the term dawless. Well, I was looking for "it". Tried the polyend tracker/+ and I like the tracker mechanism, but the polyend is just not as portable as one wishes for. Now I am trying myself on a headless m8 and it's nice. Definitely my go to, IF it would be purchasable in Thomann... I am just scared of the import taxes from USA to EU. Anyone here ordered one to the EU and can tell about any taxes?
Anyway, thanks for moderating this small community.
---------- update Well I was one of the lucky ones, who could get their hands on the preorder button fast enough. So in 2 months time I should have my m8 :D
So I found out, Ogres are able to breach doors. Yes, I didn't knew that... Fortunately, I had a dragon. I caught him and was preparing to build him a golden Chamber. He now roams free again. I lost all but two survivors. Wish them luck.
aka. The Massacre of Kinsack.
Edit
Some migrants came to visit. The bad news hadn't spread yet. Together they tried to slay the seriously injured dragon. They all died.
view more: next ›
I see. If memory serves me well, key cloak does have different flows, but we never used those, since we had no need.
So yeah, that's bad.