{ Repost from my personal blog @ https://blog.codezero.xyz/accepting-stripe-payments-on-behalf-of-a-third-party }
In Open Event, we allow the organizer of each event to link their Stripe account, so that all ticket payments go directly into their account. To make it simpler for the organizer to setup the link, we have a Connect with stripe button on the event creation form.
Clicking on the button, the organizer is greeted with a signup flow similar to Login with Facebook or any other social login. Through this process, we’re able to securely and easily obtain the credentials required to accept payments on behalf of the organizer.
For this very purpose, stripe provides us with an OAuth interface called as Stripe Connect. Stripe Connect allows us to connect and interact with other stripe accounts through an API.
We’ll be using Python’s requests library for making all the HTTP Requests to the API.
You will be needing a stripe account for this.
Registering your platform
- Goto https://dashboard.stripe.com/account/applications/settings and register your platform by filling in all the details.
- This will provide you with a Client ID that we’ll be using when redirect users for OAuth Signup.
The OAuth Flow
The OAuth flow is similar to most platforms.
- The user is redirected to an authorization page where they login to their stripe account and authorize your app to access their account
- The user is then redirected back to a callback URL with an Authorization code
- The server makes a request to the Token API with the Authorization code to retrieve the
access_token,refresh_tokenand other credentials.
Implementing the flow
Redirect the user to the Authorization URL.
https://connect.stripe.com/oauth/authorize?response_type=code&client_id=ca_8x1ebxrl8eOwOSqRTVLUJkWtcfP92YJE&scope=read_write&redirect_uri=http://localhost/stripe/callback
The authorization url accepts the following parameters.
client_id– The client ID acquired when registering your platform.required.response_type– Response type. The value is alwayscode. required.redirect_uri– The URL to redirect the customer to after authorization.scope– Can beread_writeorread_only. The default isread_only. For analytics purposes,read_onlyis appropriate; To perform charges on behalf of the connected user, We will need to request read_write scope instead.
The user will be taken to stripe authorization page, where the user can login to an existing account or create a new account without breaking the flow. Once the user has authorized the application, he/she is taken back to the Callback URL with the result.
Requesting the access token with the authorization code
The user is redirected back to the callback URL.
If the authorization failed, the callback URL has a query string parameter error with the error name and a parameter error_description with the description of the error.
If the authorization was a success, the callback URL has the authorization code in the code query string parameter.
import requests data = { 'client_secret': 'CLIENT_SECRET', 'code': 'AUTHORIZATION_CODE', 'grant_type': 'authorization_code' } response = requests.post('https://connect.stripe.com/oauth/token', data=data)
The client_secret is also obtained when registering your platform. The codeparameter is the authorization code.
On making this request, a json response will be returned.
If the request was a success, the following response will be obtained.
{ "token_type": "bearer", "stripe_publishable_key": PUBLISHABLE_KEY, "scope": "read_write", "livemode": false, "stripe_user_id": USER_ID, "refresh_token": REFRESH_TOKEN, "access_token": ACCESS_TOKEN }
If the request failed for some reason, an error will be returned.
{ "error": "invalid_grant", "error_description": "Authorization code does not exist: AUTHORIZATION_CODE" }
The access_token token obtained can be used as the secret key to accept payments like discussed in Integrating Stripe in the Flask web framework.