stripe-apps: Retrieving connected accounts raises permission error

Describe the bug

Previously, when an account was authorized using the Connect OAuth flow, the account details could be fetched using the retrieve account endpoint:

Stripe::Account.retrieve("acct_abc123")
# => <Stripe::Account id=acct_abc123>

However, after connecting an account by installing the Stripe App, this API call now raises a Stripe::PermissionError:

Stripe::Account.retrieve("acct_abc123")
# => Stripe::PermissionError ((Status 403) (Request req_Z1qph5bRRnifof)
# => This application does not have the required permissions for this endpoint on account 'acct_abc123'.
# => Having the 'read_only' scope would allow this request to continue.)

account_read is not an available permission our Stripe App can request, so currently there is no way for us to fetch account details for these merchants.

(Note that we are still able to make other API calls related to the connected account. For example Stripe::Customer.list({}, stripe_account: 'acct_abc123') works as expected).

To Reproduce Steps to reproduce the behavior:

  1. Install the Stripe App into an account (ex: acct_abc123)
  2. Attempt to fetch account details via API (ex: Stripe::Account.retrieve('acct_abc123') in Ruby)
  3. Stripe::PermissionError is raised

Expected behavior

Calling Stripe::Account.retrieve('acct_abc123') after installing the app returns the account object.

Screenshots N/A

Desktop (please complete the following information): N/A

Additional context N/A

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 8
  • Comments: 19 (4 by maintainers)

Most upvoted comments

Closing this issue because it appears to be fixed. You need to grant your app the new connected_account_read permission in order to retrieve account details.

+3
kylefox on May 11, 2022

@kylefox the way you are expecting it to work is the way I believe it should, which has me thinking maybe something is not wired correctly (or we have a bug here). Accessing the account should be implicit with install. Couple of questions that may help us.

  1. Are you installing the app on the account that owns the app or another account?
  2. Can you confirm the app secret key of the account that owns the app is the same key being used to make the API request? And also the account ID is the correct one and not hardcoded in somewhere.

I realize question 2 is like asking if you tried restarted your computer, but you never know!

+1
jcipriano-stripe on Apr 28, 2022
Read more comments on GitHub
← stripe-android: The 3ds2 dependency breaks Firebase Performance and Robolectric
stripe-apps: Stripe apps CLI stuck on "Waiting for confirmation..." even after accepting terms →