Acceptable use of OAuth?


#1

The OAuth Explained page says:

While many people are familiar with OAuth from things like “Login with Facebook”, it’s important to note that Patreons Implementation of OAuth is not intended to serve as an authentication layer for third party services, but rather as a way to “Connect” one’s Patreon user details to a preexisting account on third party services.

Restated simply, don’t use Patreon OAuth as the primary login mechanism for your site , only as a way to Connect a users Patreon profile to a user profile on your site. Doing otherwise will create very serious security vulnerabilities on your site.

I’m curious what “serious security vulnerabilities” it would create. Isn’t the OAuth used to confirm that whoever is currently browsing the site has access to the Patreon account associated with the retrieved token? Wouldn’t that be the basis for both a “Connect” and “Login” approach?

But anyway, I accept that Patreon isn’t that kind of service. The question is if the following use would be acceptable:

  1. The user clicks “Connect with Patreon” button
  2. The user get’s redirected to a website, where it retrieves the token and gets the user’s relevant data
  3. If the user has pledged, it shows a form where additional information is entered that’s necessary for completing rewards

Would that consitute an acceptable use of Patreon OAuth?

Since there is no additional login mechanism, technicially the Patreon OAuth is the primary login mechanism, but all the page is is one form and all that needs to know is what the user has pledged to and his Patreon Name/ID. I’m not sure what security it would add to have the user register separately for submitting one form.


#2

This question has been asked before, and I provided some input as did one of the Patreon staff members, you can find that thread here: "Sign in with Patreon" style authentication for users