#rob_dotnet-3ds

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1237099695076020345

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

rob_dotnet-3ds

@low cradle in that case you go back to the client-side code you have and you need to use our web components/library: Stripe.js to show 3DS.
You aren't supposed to build your own UI to collect card details and such in a .NET, this isn't really supported

I am struggling with understanding how exactly I am supposed to implement this.

OPTION 1.

1. (User action) user fills in payment information on the client.

2. (User action) user clicks PAYNOW.

3. (Client function) PAYNOW triggered which will call a cloud function createPaymentIntent and passes in a cardToken,

4. (Cloud function) When createPaymentIntent is triggered it will take in the cardToken and create a new payment intent. This will check for required actions (3DS - V2), it will attempt the authentication process and if successful it will process the charge and set the payment intent state to processing. When the payment intent status changes to succeeded the Stripe API will trigger a web hook to the endpoint of another cloud function to process the booking. If however the payment intent fails V2 authentication (3DS - V2) then it will default to (3DS - V1). This is on the server currently. If additional action is required what happens next? Should it notify the client with some action (you mentioned urls are no longer needed and so on).. What happens?

5.(Client) - (if requires action) The Client receives a response outlining the required action? Then what?

OR

OPTION 2.

1. (User action) clicks PAYNOW.

On PAYNOW

2. (Client) user creates a payment intent on the client - which includes billing address + card information.

3. (Stripe SDK) Stripe SDK attempts to create the payment intent and process the charge via either non friction 3DS authentication (V2) or NO authentication required.

4. (Client) Client notified from Stripe SDK as to whether it was successful or not. If it was not and requires action (ie - user authentication by opening banking app and so on) Then what? And how?

5. (Cloud web hook) cloud web hook is triggered when, and only when the payment intent state changes to successful. This writes the booking (Out of scope).

I would really appreciate some advice on this matter.

Thanks for the quick reply. The cloud function is written in node.js (20). How am I supposed to get card details, billing address from the user?

Really you are supposed to scratch most of that, show a webview or open a browser and collect payment in that webview/browser with PaymentElement instead.

This is unrelated to Node.js which runs on your server. I am solely talking about the client-side portion of your mobile application

Ohh I see.. So I will open a webview and navigate to some url etc. Is this something i can attain from the stripe.net package?

There's nothing specific to "Stripe.net". That SDK should never be used for client-side code.

Also, what if there are required actions 3DS V1 (Fallback after failed V2 scenario)?

Interesting, I am currently using it to create stripe account for connected accounts..?

Should that all be handled server side then, if so, why?

That should never be done client-side in a mobile app though. That should always be done securely on a server

P.S Thanks for all of the advice

Because this requires using your Secret API key. If this is in your mobile app someone can extract it and do whatever they want with it, and you don't want that to happen

Very good point. I stupidly assumed that the Stripe.net package could be used on client.. Well.. I guess I can use it for the models etc? For example,

public sealed class PaymentIntentClientSideResponse
{
[JsonProperty("client_secret")]
public string ClientSecret { get; set; }

    [JsonProperty("status")]
    public string Status { get; set; }

    [JsonProperty("next_action")]
    public Stripe.PaymentIntentNextAction NextAction {get; set;}
}

You can but there shouldn't be any reason to do that honestly

Ok, that sounds positive. Can you give me a few steps that I should take in regards to the scenario above?

Basically all I want to do is to take a payment from a user and ensure that it all goes smoothly, on the success of that payment I would like one of my cloud funcitons to trigger to create a booking (out of scope).

Thanks again for your time here Koopajah

follow this doc: https://docs.stripe.com/payments/accept-a-payment

you might want to just use Checkout at this point, this would be way simpler for you than trying to do this in your own UI

The problem is that I am not using native iOS and Android I am using .net maui which interacts with native elements etc but.. It will require me to use web in the guide which will give an awful UX..

I have all of the UI sorted already

I was hoping the only time I would need a webview is when 3DS (V1) is required..?

Also in regards to creating the payment intent in the server to comply with 3DS (V2) it will require the device location (IP) and device ID.. How can it possibly get this from a cloud function?

I have all of the UI sorted already
The problem is that you likely don't. You design your own UI to collect a card number which leads to a substantial change in your PCI posture: https://stripe.com/docs/security/guide#validating-pci-compliance

what if I use a card token?

Instead of passing card details etc to server it passes the card token?

"methods of client-side tokenisation." ?

That doesn't change the problem: you still are not using our official SDKs for this and it causes the need for PCI SAQ A-EP at a minimum.
You do seem quite lost overall (especially if you were sending raw card details to your server which you really should never do unless you work at a big company with a dedicated PCI and security team which you likely don't have)

Redirect your customer to the browser to accept payments in that flow, that is the best approach

"You do seem quite lost" I am indeed but you are incorrect as to why.. I was never sending raw card details to the server. I was sending a card_token.. Which in one of the docs is best practice. I also spoke with stripe engineering support today and they confirmed that I was on the right path.. Is there an official SDK for .net MAUI?.. I am using the official stripe sdk in the server currently.

Ok, what about saving card details for next time using stripe? Is that an option with this browser UI element..?

Is there an official SDK for .net MAUI
No there is not and we don't have any plans to build one in the future at least.

That's why I am nudging you to use our web integration in a webview instead. I agree it's not the most natural but it's the best approach if you stick with this stack for now

Ok, what about saving card details for next time using stripe? Is that an option with this browser UI element..?
yes it is all documented on the doc I shared. You configure this on the PaymentIntent with setup_future_usage so that the card or payment method can be reused in the future