{ Repost from my personal blog @ https://blog.codezero.xyz/accepting-stripe-payments-on-behalf-of-a-third-party }
In Open Event, we allow the organizer of each event to link their Stripe account, so that all ticket payments go directly into their account. To make it simpler for the organizer to setup the link, we have a Connect with stripe button on the event creation form.
Clicking on the button, the organizer is greeted with a signup flow similar to Login with Facebook or any other social login. Through this process, we’re able to securely and easily obtain the credentials required to accept payments on behalf of the organizer.
For this very purpose, stripe provides us with an OAuth interface called as Stripe Connect. Stripe Connect allows us to connect and interact with other stripe accounts through an API.
We’ll be using Python’s requests library
for making all the HTTP Requests to the API.
You will be needing a stripe account for this.
Registering your platform
- Goto https://dashboard.stripe.com/account/applications/settings and register your platform by filling in all the details.
- This will provide you with a Client ID that we’ll be using when redirect users for OAuth Signup.
The OAuth Flow
The OAuth flow is similar to most platforms.
- The user is redirected to an authorization page where they login to their stripe account and authorize your app to access their account
- The user is then redirected back to a callback URL with an Authorization code
- The server makes a request to the Token API with the Authorization code to retrieve the
access_token
,refresh_token
and other credentials.
Implementing the flow
Redirect the user to the Authorization URL.
https://connect.stripe.com/oauth/authorize?response_type=code&client_id=ca_8x1ebxrl8eOwOSqRTVLUJkWtcfP92YJE&scope=read_write&redirect_uri=http://localhost/stripe/callback
The authorization url accepts the following parameters.
client_id
– The client ID acquired when registering your platform.required.response_type
– Response type. The value is alwayscode
. required.redirect_uri
– The URL to redirect the customer to after authorization.scope
– Can beread_write
orread_only
. The default isread_only
. For analytics purposes,read_only
is appropriate; To perform charges on behalf of the connected user, We will need to request read_write scope instead.
The user will be taken to stripe authorization page, where the user can login to an existing account or create a new account without breaking the flow. Once the user has authorized the application, he/she is taken back to the Callback URL with the result.
Requesting the access token with the authorization code
The user is redirected back to the callback URL.
If the authorization failed, the callback URL has a query string parameter error
with the error name and a parameter error_description
with the description of the error.
If the authorization was a success, the callback URL has the authorization code in the code
query string parameter.
import requests data = { 'client_secret': 'CLIENT_SECRET', 'code': 'AUTHORIZATION_CODE', 'grant_type': 'authorization_code' } response = requests.post('https://connect.stripe.com/oauth/token', data=data)
The client_secret
is also obtained when registering your platform. The code
parameter is the authorization code.
On making this request, a json
response will be returned.
If the request was a success, the following response will be obtained.
{ "token_type": "bearer", "stripe_publishable_key": PUBLISHABLE_KEY, "scope": "read_write", "livemode": false, "stripe_user_id": USER_ID, "refresh_token": REFRESH_TOKEN, "access_token": ACCESS_TOKEN }
If the request failed for some reason, an error will be returned.
{ "error": "invalid_grant", "error_description": "Authorization code does not exist: AUTHORIZATION_CODE" }
The access_token
token obtained can be used as the secret key to accept payments like discussed in Integrating Stripe in the Flask web framework.