Payment intent doesn't create properly for 'Standard' connected account - ruby-on-rails

I'm creating a payment intent as per the Stripe documentation:
payment_intent = Stripe::PaymentIntent.create({
payment_method_types: ['card'],
amount: '1000',
currency: 'aud',
application_fee_amount: '10',
}, stripe_account: 'pi_1IwLlIJuxAkCMV')
When stripe_account is an Express account, the payment intent gets created and appears in the dashboard as expected.
But when stripe_account is a Standard account, the payment intent appears to be created and is visible in the console, but the payment intent is not visible in the stripe dashboard, and nor can it be retrieved with Stripe::PaymentIntent.retrieve(id):
Stripe::PaymentIntent.retrieve(payment_intent.id)
Stripe::InvalidRequestError: No such payment_intent: 'pi_1IwLlIJuxAkCMV'
from stripe-5.26.0/lib/stripe/stripe_client.rb:592:in `handle_error_response'
Question
Why does creating a payment intent work for express connected accounts but not standard connected accounts?

In your initial snippet, you likely meant to include an account id like acct_123 in the optional stripeAccount header (ref). That optional parameter also should be within an {} object/hash, though that appears to not be used in the example you linked.
Authenticating as one of your connected accounts like this creates the payment intent as a direct charge on the connected account itself (as described eslewhere on the doc you linked).
After creating a direct charge like this, you need to include that same stripeAccount header to authenticate during the retrieval:
Stripe::PaymentIntent.retrieve(payment_intent.id, { stripeAccount: 'acc'})
Edit to add: Confirming this curl example works as expected:
curl --request POST \
--url https://api.stripe.com/v1/payment_intents \
-u sk_test_123: \
--header 'Stripe-Account: acct_123' \
--data amount=10000 \
--data currency=usd \
--data confirm=true \
--data payment_method=pm_card_visa \
--data application_fee_amount=500
Creates pi_456, then:
curl --request GET \
--url https://api.stripe.com/v1/payment_intents/pi_456 \
-u sk_test_123: \
--header 'Stripe-Account: acct_123' \

Related

Dart : At the end of the tutorial, I don't know how to check that the app is working

https://dartfrog.vgv.dev/docs/tutorials/todos#summary
I got to this section, but I don't know how to get it to work at the end, so I can't get it to work.
in my browser
http://localhost:8080/todos
When I access the above url, [] is displayed, so I think it's working.
# Update a specific todo by id
curl --request PUT \
--url http://localhost:8080/todos/<id> \
--header 'Content-Type: application/json' \
--data '{
"title": "Take out trash!",
"isCompleted": true
}'
How can I check that the above part works?
The line you see there is a command you are supposed to run on your commandline.
If you use a newer version of windows you probably have curl already, if not, see How do I install and use cURL on Windows?
So you open your command prompt and enter
curl --request PUT --url http://localhost:8080/todos/<id> --header 'Content-Type: application/json' --data '{ "title": "Take out trash!", "isCompleted": true }'
where I guess the <id> part needs to be an id. So for example 1.
Please note that that is a tutorial for a backend in Dart. They are not commonly called an app. If you are looking to build a nice app for your device or webbrowser, with ui controls like input boxes and buttons, you are reading the wrong tutorial.

Snowflake: Configure Microsoft Azure AD for External OAuth - admin consent

I am using this guide to configure Microsoft Azure AD for external OAuth in Snowflake.
I'm pretty sure that I followed all the steps because tried that meticulously on three Azure subscriptions and got the same result.
Every time I got stuck at the testing procedure section where I'm supposed to send a request to Azure AD to get an access token:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
I am a subscription owner and definitely granted admin access to the session:role:analyst scope:
However, instead of the access token, I get the following response:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '...' named 'Snowflake OAuth Client'. Send an interactive authorization request for this user and resource.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
65001
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "...",
"suberror": "consent_required"
}
Tried to grant the consent by reaching https://login.microsoftonline.com/{{tenant_id}}/adminconsent?client_id={{client_id}} and after granting the consent, got an error: AADSTS500113: No reply address is registered for the application.
Found this and added the return URL http://localhost/ (without a clear understanding of why). Granted the consent again and was redirected to http://localhost/?admin_consent=True&tenant={{tenant_id}}# which, I suppose, is fine.
But I still get AADSTS65001: The user or administrator has not consented to use the application.
Reached to Microsoft documentation and figured out that using grant_type=password is not recommended - makes sense.
Tried grant_type=client credentials:
curl --location --request GET 'https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={{client_id}}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_secret={{client_secret}}'
Got the access token, but attempts to connect to Snowflake with a connection string like:
connection.ConnectionString = $"account={account};host={host};authenticator=oauth;user={oauthUser};token={token};";
Throw Snowflake.Data.Client.SnowflakeDbException: 'Invalid OAuth access token..
I suspect this is because scope=https://graph.microsoft.com/.default, but replacing it with session:scope:analyst brings this:
{
"error": "invalid_scope",
"error_description": "AADSTS1002012: The provided value for scope session:scope:analyst is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
1002012
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "..."
}
Since I already deviated from the official Snowflake guide, I'm asking the community for help with this issue. Thank you in in advance!
When obtaining an access token with the Resource Owner Password Credentials Grant flow (which is not recommended and you really shouldn't do), the resulting access token is for accessing a resource (API) on behalf of the signed-in user. In the Microsoft identity platform, access on behalf of a user requires the client application be granted at least one delegated permissions to the requested resource.
In your screenshot, we see that the permission you granted for "Snowflake OAuth Resource" is an application permission (aka "app role").
You need to do two things:
On the resource app's app registration, make sure you followed sub-step 10 under Step 1: Configure the OAuth Resource in Azure AD, and defined "session:scope:analyst" as a delegated permission (scope).
In the client's app registration, under API permissions, choose the corresponding delegated permission for the resource, and grant it.
Then, when you go to test obtaining the token, make sure the "scope" parameter is the full scope value, including the resource's identifier URI (which you defined in sub-step 9). For example, if your identifier URI is https://my.snowflake.example.com, then the "scope" value would be https://my.snowflake.example.com/session:role:analyst and your cURL request would be:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=https://my.snowflake.example.com/session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
WARNING: The Resource Owner Password Credentials Grant flow is not recommended. I suggest reaching out to app publishers who are suggesting you use this flow. Here is Microsoft's warning on the subject:
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
If the set up is still configured for "password" type grant credentials then the issue there is with the scope which should be set up on AAD and passed as follows:
**session:role-<name>**
Note, that the hyphen between role and name and it's not a colon.
In your setup, it seems to be set up and passed as:
session:role:<name>
I think, it would be much more easier to fix this issue by checking the steps done on your environment with the details here:
https://community.snowflake.com/s/article/External-oAuth-Token-Generation-using-Azure-AD

Google OAuth2 Integration - Invalid parameter value for redirect_uri: Missing scheme

Even though I read a numerous duplicate issues here on Stackoverflow, still can't figure out for the life of me what I'm doing wrong.
Problem: I successfully receive an authorization code from, but when I request an access token using this code I get the following error:
{
"error": "invalid_request",
"error_description": "Invalid parameter value for redirect_uri: Missing scheme: http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback"
}
Configuration:
I use http://localhost:3030/google/oauth2/callback as a callback URL
It's setup in the google developer console:
This is a "raw curl" request that I send to obtain a token:
curl --location --request POST 'https://oauth2.googleapis.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=4%2F0AY0e-g6zyewnsWjPEXoxZWawsp1E634ZlefYoBeYO1nXxBwjPQNCGVf7SGb4MxfNcjUApw' \
--data-urlencode 'redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback' \
--data-urlencode 'client_id=....' \
--data-urlencode 'client_secret=....' \
--data-urlencode 'grant_type=authorization_code'
P.s. as you can see I "UrlEncoded" redirect_url as well as code since it does contain slashes. To be on the same side, I tried to encode client_id, client_secret and grant_type as well, but since they only contain ASCII characters they came out the same.
What I have done:
Researched through similar problems on SO: jenkins issue, ios issue, php issue, missing http issue,nodejs issue - similar to this one followed up by discussion, this, that, and all other ones present here - will omit them for brevity.
I've tried to set
http://localhost/google/oauth2/callback:3030 as well as
http://127.0.0.1:3030/google/oauth2/callback and
http://127.0.0.1/google/oauth2/callback:3000 (although specifying a port in the end is super weird and changing localhost to 127.0.0.1, but was suggested in one of the similar threads), none of these worked.
Read all the docs from google
Played with OAuth2 Playground (where it works obviously), but doesn't work for me
Tried multiple variations for body + different content types the same problem, but sometimes I also get
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
Any help would be appreciated.
After some time I was able to successfully obtain a token. Turns out that I didn't craft request to Google API correctly. Also, for the "curl" request it should be --data rather than --data-urlencode. The following request worked for me:
curl --request POST \
--url https://oauth2.googleapis.com/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data code=4%2F0AY0e-g4TLGE7c7VyMe8-95baQzeh0uERiKuGnHG5Sqccb4MCsmJOzV_a2jSbI9bm62VZ6Q \
--data redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback \
--data client_id=********* \
--data client_secret=********* \
--data grant_type=authorization_code
or
curl --request POST \
--url https://oauth2.googleapis.com/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'code=4%2F0AY0e-g4TLGE7c7VyMe8-95baQzeh0uERiKuGnHG5Sqccb4MCsmJOzV_a2jSbI9bm62VZ6Q&redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback&client_id=*********&client_secret=*********&grant_type=authorization_code'
One more observation: When you test, you can use the authorization code only once (for security reasons). Sometimes even if you send multiple "unsuccessful requests" with the same code, Google's API will reject all subsequent requests with that code (you need to go through the OAuth2 again flow to obtain a new one). The most "frustrating" part that confused me is that the response for the wrong code looks like this:
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
instead of being something like "Code is not valid" or "Code has expired".
So, if you encounter an error above it means the request was crafted correctly, but the code is wrong.

Requesting list of groups in Auth0-Authorization extension but returns 403:Insufficient scope error

I've installed the Authorization extension in my Auth0 account, so authorization functionality works perfectly but now I want to access all the groups I've created there in that authorization extension. So I've followed Authorization docs but when I use the token I've generated for that it throws 403: Insufficient scope error in response.
These are the steps I've gone through:
1.Requested a token:
curl -X POST \
https://my_domain.auth0.com/oauth/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"client_id":"auth0-authorization-extension-api-client-id",
"client_secret":"auth0-authorization-extension-api-secret",
"audience":"urn:auth0-authz-api",
"grant_type":"client_credentials"
}'
Response:
{"access_token":"encoded_access_token","expires_in":86400,"token_type":"Bearer"}
2.Requested group list:
curl -X GET \
https://domain.us.webtask.io/some_hash/api/groups \
-H 'authorization: Bearer access_token'
Response:
{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope"
}
Hopefully this isn't a problem still for you, but if it is:
Go to your Auth0 dashboard
Click on APIs
You should have an API called auth0-authorization-extension-api
Select Non-interactive clients tab
Select the client you want to give access to and change toggle to Authorized
There's a drop down arrow beside the authorized toggle, click that and under scopes give access to read:groups. You may need read:users too.
Hope that helps, thanks
Kevin

Cant access PFUsers from Parse

I am new to parse and ios development.
I want to use Parse for User management of an IOS app. With the help of documentation (https://parse.com/docs/ios/guide#users-signing-up) I was able to signup some sample users and I have the following in Parse app.
Then I want to retrieve all users (or query for specific) with following documentation help.
var query = PFUser.query()
query.whereKey("gender", equalTo:"female")
var girls = query.findObjects()
I was expected to receive an array of size 3 but surprisingly didn't receive any.
Later I figured out I can user API console feature of Parse and tried use it to receive PFUser objects. I received zero results.
Later I tried with sample table and I was successfully add, retrieve Objects to the table.
Not sure If I need to anything special for me to use PFUser.
I have tested using API Console and its working on my side. I have one entry in User table having gender = male.
I fired following curl query to retry all the users
curl -X GET \
-H "X-Parse-Application-Id: <#your-application-key>" \
-H "X-Parse-REST-API-Key: <#your-rest-api-key>" \
-G \
https://api.parse.com/1/users
Result from the above query is:
{"results":[{"gender":"male","createdAt":"2015-12-10T06:00:40.368Z","email":"sam07it22#gmail.com","objectId":"1KbxpYgeUb","updatedAt":"2015-12-10T06:01:32.885Z","username":"sam07it22#gmail.com"}]}
Now, I'm going to add Condition in above query to fetch records having gender = female. As per data expected result should have zero records
For gender = female
curl -X GET \
-H "X-Parse-Application-Id: <#your-application-key>" \
-H "X-Parse-REST-API-Key: <#your-rest-api-key>" \
-G \
--data-urlencode 'where={"gender":"female"}' \
https://api.parse.com/1/users
Output:
{"results":[]}
For gender = male
curl -X GET \
-H "X-Parse-Application-Id: <#your-application-key>" \
-H "X-Parse-REST-API-Key: <#your-rest-api-key>" \
-G \
--data-urlencode 'where={"gender":"male"}' \
https://api.parse.com/1/users
Output:
{"results":[{"gender":"male","createdAt":"2015-12-10T06:00:40.368Z","email":"sam07it22#gmail.com","objectId":"1KbxpYgeUb","updatedAt":"2015-12-10T06:01:32.885Z","username":"sam07it22#gmail.com"}]}
NOTE:
Don't forget to replace your API KEY and REST API KEY
ACL permissions has done the trick. ACL permissions has to be "public read" for them to be accessible. Here is more info about ACL in parse https://parse.com/docs/ios/guide#security-object-level-access-control

Resources