Hi all, 
I have a web browser extension called Sprucemarks which even though it lives in a web browser, has many of the same concerns as an offline app. Concerns like…
- Users must be online at least once to login to Patreon.
- Once logged in, how long do you let the software stay unlocked before checking in again?
- Including anything secret in the distributable is NOT an option since web browser extensions are basically unprotected.
Distributing sensitive keys is obviously not an option so I ended up making a web service to handle OAuth keys, refresh tokens, and anything else that could be kept away from the client. Launched earlier this year, here is how things currently flow.
- Users install and run the software.
- Users are prompted to login via Patreon.
- Users are redirected to Patreon where they login if needed.
- Logged in users are given a choice to “Allow” or “Deny” sharing their account information.
- Users that “Allow” sharing are redirected to my web service which now has a one-time use token to setup a relationship.
- The web service connects to Patreon and gets all the Patreon info it needs, including access and refresh tokens.
- Users are redirected back to the software which in my case, checks if they are an active Patreon or if they donated $7 over the life of their account. If yes to either, the software unlocks.
Phew, that was a lot of steps but that only covers the initial login. Because Patreons can change their donation amounts, deactivate, reactivate, receive refunds, or even change their names, the client software needs to check in with the web service every once in awhile. As long as a check-in happens once every 30 days, the web service gets fresh info, uses a refresh token if needed, and keeps that connection with Patreon going. If a user shuts off their computer for 6 months well then… they are going to need to login via Patreon again.
The check-in process above is what my web service is currently setup to do but you could make yours fancier and have it automatically use refresh tokens, even when users do not check-in. Then your server would always be at maximum readiness for users. Just probably want to add some logic so a user who has not been seen for X days or X months triggers the server to stop checking on their account. No use doing extra work if a user seems unlikely to return anytime soon.
While there are some things that can not be avoided, like having a Patreon login or having some kind of check-in on a schedule, there really are a lot of ways you could set things up. It certainly does require a bit of work but there is also a lot of room for creativity, depending on how you want to handle different scenarios.