That’s bad.

OAuth supports several types of flows. If I’m not mistaken (I’ve learned a bit more about OAuth since yesterday) you’re describing the Authorization Code Flow – as documented in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):

• https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1

That RFC defines many other types of flows that do not require sharing the access keys with a third party, such as the Client Credentials Flow, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):

• https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4

The only reason you’d want to use the Authorization Code Flow is if the third party needs your access token for some reason, or if you want to hide the access key from the user agent.

The problem here is that Stripe is using the wrong flow (the third party doesn’t need the access token, as they claim they never save it anyway). And if keyCloak only supports that one flow, that’s would be a problem too (in this case).

Upon further reading of RFC 6749, it appears that OAuth does require this – sometimes.

It depends on the OAuth Flow. In this case, Stripe uses the “Authorization Code” Grant.

This is documented in Stripe’s OAuth reference documentation here:

curl https://connect.stripe.com/oauth/token \
  -u sk_test_MgvkTWK1jRG3olSRx9B7Mmxo: \
  -d “code”=”ac_123456789” \
  -d “grant_type”=”authorization_code”

• srouce: https://docs.stripe.com/connect/oauth-reference#post-token-request

Authorization Code Grants are defined in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):

• https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1

To better understand why the OAuth Authorization Code Grant requires sharing the access token with a thrid party server, I found this article (Common OAuth Vulnerabilities) by Doyensec very elucidating:

• https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

It says that the Authorization Code Flow is supposed to be used when you don’t want to share the tokens with the user agent.

The Authorization Code Flow is one of the most widely used OAuth flows in web applications. Unlike the Implicit Flow, which requests the Access Token directly to the Authorization Server, the Authorization Code Flow introduces an intermediary step. In this process, the User Agent first retrieves an Authorization Code, which the application then exchanges, along with the Client Credentials, for an Access Token. This additional step ensures that only the Client Application has access to the Access Token, preventing the User Agent from ever seeing it.

But this doesn’t make sense for this use-case. It appears Stripe is needlessly putting us at risk by choosing the Authorization Code Grant.

Stripe Connect does not support Client Credentials flow.

Can you please tell me what is the name of the “flow” that Stripe Connect is using here?

I figured out the root technical cause. It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.

For security purposes, Stripe redirects a user only to a predefined URI.

• https://docs.stripe.com/connect/oauth-reference#redirect-uri

That’s why Stripe forces you to expose your access tokens to the developer’s servers.

I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer’s servers.

It’s called the Client Credentials flow (RFC 6749, Section 4.4).

Finally someone directs me to the actual RFC. Except that section is titled “Client Credentials Grant”

• https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4

Why do I see this sometimes called a “Grant” and sometimes called a “Flow”?

What’s the definition and difference of each?

Thanks, but I don’t think this is the case here. The Authentication provider is Stripe (or, at least, it’s a stripe.com domain name). The 3rd party is the app developer’s server.

Stripe’s infra is already PCI compliant.

I’m not sure how a hardware security token would be relevant here. The end result must be something-you-know access token. Initial setup is done with 2FA, sure. But I don’t think the server can store (or emulate) a passkey. The issue here isn’t how I authenticate with Stripe. It’s after that – when Stripe gives the tokens to the third party (the dev’s server) and then the third party gives the token to my server. I don’t understand why Stripe doesn’t just let the devs implement it so Stripe gives the tokens directly to my server.

Suddenly my server started getting thousands of requests per minute and my varnish cache hit rate jumped to 99%. Thank god for varnish!

Looks like the reddit blackout is #1 on the frontpage of hackernews, and this article is #2.

• https://news.ycombinator.com/

I actually posted this article to hackernews, but I never got a single upvote. This isn’t my first time getting on the frontpage of hackernews, but it always happens when someone else reposts my link.

Can anyone tell me how the fuck hackernews’ algorithm works to where I can’t ever get traction but someone else does after me?

Added to the article. Thanks for the suggestion :)

You should ask in /c/mlemapp

• https://lemmy.ml/c/mlemapp

And if it’s a bug, please report it on GitHub

• https://github.com/buresdv/Mlem

Thanks! Yeah, I linked to it in the bottom of the article. There’s some other good links there that you may want to checkout as well :)

The only thing I need to improve this article is a short video demonstration showing how to find and add remote lemmy communities

• https://lemmy.ml/post/1193460

Are there any video producers on Lemmy that can help? You’ll easily get thousands unique views per day if you make a short “Guide to Lemmy” video :)

ಠ_ಠ

I’m actually very surprised how high the uptime is on most of these instances.

The awesome-lemmy-instances repo on GitHub displays uptime:

• https://github.com/maltfield/awesome-lemmy-instances/

This list may help newcomers:

• https://github.com/maltfield/awesome-lemmy-instances

At what point do you plan to close this instance to new users?

See this list of “Privacy-Conscious Email Services”

• https://prxbx.com/email/

Honestly I’m not sure I’ll stick to lemmy if the amount of content doesn’t grow. And I’m sure I’m not alone. I’m here for news, and there’s very little coverage of world events on lemmy (though that has already noticeably improved as our userbase grows).

I do want lemmy to grow, but not for growth’s sake. I want it to grow so the content (news article submissions and quality comments about those articles) grows.

2. Downvotes are important to ensure quality content. It allows the community address statements made by a user based on objectively incorrect (mis)information. This feature is an important reason why many reddit users aren’t on Mastodon. Also, democracy is important.
3. Recommended Instances shouldn’t wholesale block content just because it’s NSFW. As you say, policy on what NSFW content is allowed is distinct from the instance enabling NSFW content.
4. People being able to create and moderate their own communities is positive

If an instance (eg Hexbear) wants to deviate from this, that’s fine. That’s what the Fediverse is all about :) But we shouldn’t recommend those instances to new users as it will cause new user attrition.

That’s not going to happen automatically, but we can manually remove instances that go down.

I only know of one site that monitors uptime of lemmy instances:

• https://lemmy.fediverse.observer/list

They do have an API, but I’m not sure yet how to query it (help would be appreciated!)

• https://github.com/maltfield/awesome-lemmy-instances/issues/7