I have account A, where the user signs in to Patreon with a username and password.
I have a second account, B, where the user signs in to Patreon via Google Sign In.
In both cases, I can initiate an initial authentication with https://www.patreon.com/oauth2/authorize, which then transitions to the Patreon website and prompts the user to either Allow or Deny. In both cases, we are asking for the identity[email] and identity.memberships scopes. In both cases, we select Allow, and in both cases, Patreon successfully redirects to our website with the code parameter. We then attempt to get an access token using the endpoint https://www.patreon.com/api/oauth2/token and the provided code.
With account A, username+password, everything works as expected - we get a set of access and refresh tokens as documented by the Patreon API.
With account B, Google Sign In, we get an 401 response and are unable to proceede.
We have tested this so far with 5 accounts using username+password with no issue and another 5 using Google Sign In, and the results are 100% consistent in failing for Google Sign In only.
I am running into what seems like the same issue, but with my test account that connects via Facebook. I am able to get an oauth token from the oauth2/authorize endpoint, but that token will always result in a 401 error regardless of the scopes or fields requested from e.g. the identity endpoint.
All of my test accounts that use emails registered directly with Patreon work, and weirdly my one Google sign-in test account that I just created and tried also works? But Facebook does not, and I have another tester that is running into this issue and I suspect they use Apple sign in.
For anyone else encountering this in the future: my particular issue ended up being the token scopes I was authorizing with.
During development, I missed the part of the docs on scope where it mentioned the returned token scopes being a superset of any and all scopes ever authorized. So, once I got my code working and intended to do a cleanup pass removing any unnecessary scopes from what I ended up using…I definitely took too many out, even though for all of my test accounts/cases everything kept working since they had at one time been authorized with the sufficient token scopes.
Then once new users started trying to connect, the scopes I was specifying at that point were therefore insufficient for the data I was requesting, hence the 401 errors. I must have at one point tested with a ‘Connect with Google’s account, which is the only reason I can think why that particular bit worked for me when it wasn’t working for the other things I later tried