Are there any plans to support SSO authentication between our customer application and the stripe hosted Customer Portal? The current email address / OTP does not provide a seamless experience for customers accessing the customer portal from our application. If we were able to integrate our IdP with Stripe users could have a 1-click access to the customer portal.
Additionally if a contact is associated to multiple customers in Stripe being able to use the org identifier as a claim would make it more secure as then, the only way they can access the customer portal is by logging in to that org within our platform first.
Just wanted to add that this is even more required by us now knowing that the short-lived URL that is created when creating a customer portal session has a rolling 1 hour lifetime once accessed. This is definitely a security concern and we will be unable to use customer portal at all until some type of authentication mechanism besides email/OTP is introduced.
If you’re not using the login capabilities for the customer portal that means you’re using the short-lived URL approach. The problem I have with this is that:
Any activity by the customer on the customer portal ensures a rolling 1-hour lifetime of that URL. No way to reduce this.
No way to revoke the url after its created and accessed
Not impossible for this URL to be guessed.
If I could set the lifetime of the url and it was a much more obfuscated url I could maybe deal with that.
A better solution is to allow integration between the customers App IdP and Stripe. that way its more seamless for the end users as they are already authenticated in the app AND you don’t have to worry about short lived URLS being guessed if active.
I got you, URL includes random hash of 84 characters, not that strong for the operations users can perform there, I wasn’t able to find anything about session expiration. Checkout short-lived URL has much longer hash. You’ve got me concerned as well.
I’d suggest you to talk to Stripe developers on Discord Stripe Developers, there’s a “#dev-help” channel where they assist with integration and also may answer questions. Would be great if you bring a little summary here (if you decide to ask them).
Cheers
It would be much better if the hash was as long as the checkout url. We do in fact use the hosted checkout page, just not the customer portal. Until these concerns are addressed, we’ve had to build our own customer portal functionality.