"Connect with Patreon," not "Sign up with Patreon" distinction

API Feedback Docs Feedback
1

Hello,

I’m working on a website that will provide access to certain part/documents thanks to a tier system using Patreon. However, user would not have a specific account on the website, as it would not bring anything more than the Patreon OAuth would in the first place.
While looking at the OAuth doc, I came upon this :

Blockquote

“Connect with Patreon,” not “Sign up with Patreon”

While many people are familiar with OAuth from things like “Login with Facebook”, it’s important to note that Patreons Implementation of OAuth is not intended to serve as an authentication layer for third party services, but rather as a way to “Connect” one’s Patreon user details to a preexisting account on third party services.

Restated simply, don’t use Patreon OAuth as the primary login mechanism for your site , only as a way to Connect a users Patreon profile to a user profile on your site. Doing otherwise will create very serious security vulnerabilities on your site.

The doc says that using OAuth as the primary login mechanism would create very serious security vulnerabilities on your site but it doesn’t say why.
Could someone please explain to me what kind of security vulnerabilities it would cause ?

Thanks in advance for your replies.

EDIT : so sorry, I didn’t see that a topic existed already about that question : here
Do you know if that statement from 2018 is still true ? That as long as there are no merging between existing user from our website to Patreon emails it should be okay ?

2

If the Patreon email of the user is verified, it shouldnt be a problem. Of course, you should make sure the email the user has at your site is also verified in case this is a pre-existing user at your site.

Just check for whether Patreon user email is verified in the user data that comes from Patreon, and that should be safe to use in any way. If the user email is not verified, then dont merge that user with existing users.

3

Thank you for your answer.
However, my questions is about the case where I don’t manage users on my website.

Would it be safe to use the token and associated rights coming from OAuth as a user, to unlock part of the website to the person that made the OAuth login ?

4

As long as you dont merge the Patreon user with the users at your service if the Patreon user does not have his/her email verified, yes.