We can't do Scenario #1 due to the different use cases we have to support. For example different initial price and duration from the recurring, which requires us to use a SubscriptionSchedule that can't work with Scenario #1.
We've implemented Scenario #2 instead. We do authenticate SCA on initial payment at all times, but what was happening is the SCA was failing for the initial invoice when we were creating the subscriptions and this should be fixed in next release as we now explicitly set off_session to true when we create subscriptions.
stripe.com/docs/billing/migration/strong-customer-authentication#scenario-2
In a future release I might try implementing Scenario #1 AND Scenario #2, but that's yet another rewrite to deal with that I do not have the time for after already rewriting this to support Scenario #2 and really shouldn't be necessary.
Also within your Stripe account navigate to Settings > Subscriptions and emails > Manage payments that require confirmation and toggle on "Customer emails". If Stripe requires SCA during a recurring payment it will email them to authorize it. We don't handle this ourself via webhook and currently don't plan to since Stripe can more cleanly.
With next release you'll be able to configure whether you want to accept incomplete payments, which will cause Stripe to send them an SCA email so that will be entirely up to you and in those situations the basket will be put into a pending status.
krileon
