Hello,
I’m working on a website that will provide access to certain part/documents thanks to a tier system using Patreon. However, user would not have a specific account on the website, as it would not bring anything more than the Patreon OAuth would in the first place.
While looking at the OAuth doc, I came upon this :
Blockquote
“Connect with Patreon,” not “Sign up with Patreon”
While many people are familiar with OAuth from things like “Login with Facebook”, it’s important to note that Patreons Implementation of OAuth is not intended to serve as an authentication layer for third party services, but rather as a way to “Connect” one’s Patreon user details to a preexisting account on third party services.
Restated simply, don’t use Patreon OAuth as the primary login mechanism for your site , only as a way to Connect a users Patreon profile to a user profile on your site. Doing otherwise will create very serious security vulnerabilities on your site.
The doc says that using OAuth as the primary login mechanism would create very serious security vulnerabilities on your site
but it doesn’t say why.
Could someone please explain to me what kind of security vulnerabilities it would cause ?
Thanks in advance for your replies.
EDIT : so sorry, I didn’t see that a topic existed already about that question : here
Do you know if that statement from 2018 is still true ? That as long as there are no merging between existing user from our website to Patreon emails it should be okay ?