#henryd

Here's something related documentation about that timeout:

https://stripe.dev/stripe-android/payments-core/com.stripe.android/-payment-auth-config/-stripe3ds2-config/-builder/set-timeout.html

When you test the timeout, are you using a real card? Or a test card?

It's a real one

It's VISA

We're testing on production

The authentication challenge did not expire even after 10 minutes, as shown in the video

It is supposed to get expired after 5 minutes, according to the docs you provide information I get from the SDK internal code

Got it... Hmmmm... Are you explicitly setting the timeout property?

Nope

It should take the default value you handle internally in the mobile SDK (5 minutes)

I'm not seeing it mention anywhere that 5 minutes is a default value; only that it's the minimum. Where are you seeing that?

Not sure if you're familiar with the code

But you set that value here: https://github.com/stripe/stripe-android/blob/76b9f3528ba2db1460b586096759fd401e1a492e/payments-core/src/main/java/com/stripe/android/PaymentAuthConfig.kt#L82

Hello! I'm taking over and catching up...

I think this might be related to this issue: https://github.com/stripe/stripe-android/issues/5154

Those customization parameters are applied to the 3DS2 native version. If your authentication flow is using PaymentAuthWebViewActivity that means you're going through a web version of 3DS. In that case we load a URL provided by the issuer, so not all of those customization parameters can be used. Our backend decides whether to use the native or web version.

But that one is for 3DS1

In our case, we prompt the native 3DS2 version

Aren't those params don't being taken for 3DS2 as well?

Not sure what you mean by "But that one is for 3DS1"?

Because the dev who reported that issue refers to PaymentAuthWebViewActivity

Only 3DS1 is done through a WebView

As my understanding

That's not correct, 3DSv2 is done via both native and web. In the video it looks like the web flow to me, but it's hard to be 100% certain.

Note the last sentence of the quote I posted above:

Our backend decides whether to use the native or web version.

That means you can't force native all the time.

I don't think some card issuers support the native flow, so they fall back to web.

Got it. Well, at least the container of the authentication screen we see in the video looks like a native android activity (because of the toolbar)

But the content looks like an embed web page yeah

So basically there will be some cases where such parameters set on the SDK are going to be applied based on the version of the challenge that is presented to the user, right?

Basically, native vs webview

Yep, that's correct as far as I know (but I am not an Android expert).

Got it. Do you think you can reach an Android dev from your team just to confirm this stuff 😅 ?

I can check, not sure if we have someone available right now. Hang on. 🙂

Thank you

Found someone, but they're currently in a meeting, so it will be a few minutes. 🙂

Yep, looks like what I found above is correct. They reviewed the thread and also called out that 3DS1 is deprecated and was replaced by 3DS2 completely in October of 2022.

I'm not following that last message

The part about 3DS1 being replaced with 3DS2 or something else?

I mean, 3DS1 does not support timeout but the new 3DS2 does, is this right?

3DS2 does at least. I am having trouble finding what 3DS1 supported when it was still in use. Do you have the info that you need to use this timeout with 3DS2?

Yeah, I was able to replicate the expired authentication flow using a testing credit card that requires 3DS2

This is in testing mode

I was wondering why we weren't able to see the authentication challenge get timed out when we tested on production (see the video I posted lately in the thread)

Looks like that one was 3DS1?

Oh so is the question why 3DS1 was showing up here for the test 3DS2 card?

I don't know them by sight but can look in to it

No, the first video #1103727117772009522 message was made using a real credit card on production, my question was why it didn't get timed out after more than 10 minutes passed

@solemn knoll said that it was probably a 3DS2 (embedded in a webview) attempt and that this mechanism does not take the timeout set by the mobile SDK (5 minutes by default)

I just want to know in which cases that timeout is not going to work

Both of these flows were 3DS2 the difference that Rubeus was talking about is that your first video uses the web flow which is unfortunately not subject to that timeout. The native flow is which is why it works in that video.

Do you know what are the cases when 3DS2 is shown using the web flow? Does this happen when the "frictionless" flow is presented?

This is the log for the authentication we tested on production

What are you asking here exactly, what happens with the frictionless flow?

It's possible the 3ds modal will be surfaced and show a "loader" in that case, then clear automatically if no action is needed

I'm asking in which cases 3DS2 uses a Webview

And when it uses the native experience

Gotcha, that depends on a lot of factors, including in some cases the issuer where we've detected issues with non-web flows. But generally no we can't say ahead of time for real cards