#canadev-returnurl-susbcription

You can't control this for subscriptions no

I can't use the custom iframe solution and I need to use stripe.js?

What do you call "the custom iframe solution" exactly? Sorry there are 10+ ways to integrate and I assume you use the extremely advanced and discouraged one but want to make sure

I use https://stripe.com/docs/payments/3d-secure#custom-iframe and payment confirmation is server-side. I think i can still use it, but I need to listen to the postMessage «'3DS-authentication-complete'»

So when you confirm with the return_url server-side what happens? Do you get an error?

For a one-time payment, the return_url activates the products if it succeeds, else I generate a postMessage with custom error.
But for a subscription, I think we need to listen to «3DS-authentication-complete» and after, complete the product activation.

Another question : is it normal that the test payment page create a lot of CSP report ?

(in Firefox)

yes the CSP is fine/normal it's just a fake test page

I don't really grasp your question right now unfortunately. Like I assume you have handled 3DS without any issue for non subscription payment right? So what is blocking you specifically for subscription? What is not working?

For non-subscription payment, it works. I have a «confirm page» that generate a custom response through postMessage.
With subscription, I can’t use my confirm page. I need to use the postMessage of the Stripe confirmation page and I need to listen to «3DS-authentication-complete».

I just found out that the postMessage is «stripe-3ds-result» and not «3DS-authentication-complete». Is that correct? The doc is here : https://stripe.com/docs/payments/3d-secure#handle-redirect

With subscription, I can’t use my confirm page. I need to use the postMessage of the Stripe confirmation page and I need to listen to «3DS-authentication-complete».
what does that means? Why can't it work?

Hello! Catching up here and would be happy to help further, but I'm also not sure what "With subscription, I can’t use my confirm page." means. Can you provide more details?

Yes, no problem. When I make a non-subscription payment, I can do something like «$paymentIntent->confirm(['return_url' => 'https://my-confirm-page']);». If it's a subscription payment, I cannot specify a «return_url» to redirect to my confirmation-page. Instant, Stripe redirect to this page :

If it's a subscription payment, I cannot specify a «return_url» to redirect to my confirmation-page.

Why not?

You should be able to get the Payment Intent associated with the Subscription's latest Invoice and confirm it client-side the same way you would any other Payment Intent.

The subscription API doesnt have a parameter for «return_url»

Or server-side.

Subscriptions generate Invoices, and each Invoice has a Payment Intent associated with it: https://stripe.com/docs/api/invoices/object#invoice_object-payment_intent

You should be able to use most of your existing confirmation flow on those Payment Intents.

Does that make sense, or am I misunderstanding the issue?

How can I specify the return_url? Example (PHP) that I cannot do :

\Stripe\Subscription::create([
'customer' => ...,
'return_url' => '...',
...
]);

Do I need to do something with the latest_invoice?

$sub = \Stripe\Subscription::create([
'customer' => ...,
'return_url' => '...',
...
]);

$sub->latest_invoice->...?

With non-subscription payment, I can do :

\Stripe\PaymentIntent::create([
'confirm' => true,
'return_url' => '....'
]);

What are you setting payment_behavior to when creating the Subscription?

«allow_incomplete»

You should switch that to default_incomplete so the first payment isn't automatically attempted. You can then look at latest_invoice on the Subscription to get the Invoice, get that Invoice's Payment Intent, and confirm it using your existing process.

More details here: https://stripe.com/docs/api/subscriptions/create#create_subscription-payment_behavior

Also, you can use backticks to format code on discord, so using ` instead of « and » will make your code easier to read. 🙂

You can also use three backticks to do code blocks.

Nice! Next time I will try it. Thanks for your answer! I still have one question. After Stripe complete or failed a payment, the postMessage is stripe-3ds-result instead of 3DS-authentication-complete. Is that normal?

Like here : https://stripe.com/docs/payments/3d-secure#handle-redirect

As far as I'm aware the documentation is correct. stripe-3ds-result is used by Stripe.js internally, but I don't believe it's something you should ever interact with directly. Can you provide more details about where you're seeing stripe-3ds-result and if Stripe.js is involved or not?

I don't use stripe.js because everything is server-side, except the iframe. I print all postMessage in console and I get :

Oh, I think I understrand. This event is only for Stripe.js. Can I listen to this event or it's not recommended?

I don't believe you should be listening for it. You should only be doing what's described in the documentation you linked to above.

ok. Thanks! Sorry for the confusion!