Getting an email of the authorised user

I have a creator account, and my goal is to make a mobile application, that would allow the user to sign in with Patreon, so I will be able to check if that user is my patron.

What I am doing right now:

1. User inputs the email and presses redirect user to the web view with the request:
   /oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&state=user@email.com
2. After pressing on the approve button, my backend gets call via <redirect_uri>, containing code and state parameters.
3. Use code from Step2 I get access token via /api/oauth2/token call
4. The most interesting part. I hit /api/oauth2/v2/identity endpoint to get memberships of the logged in user.
   But the problem is I can’t get the user’s email for my validation purposes, i.e. I can’t be sure that the email user has entered in Step 1 is the same, that the user used to log into Patreon.

When I try to add various values for scope in request in Step1, I encounter different problems: FIrst of all, I can’t specify multiple scopes at once, i.e. &scope=campaigns,identity.membership leads to the redirect with error=invalid_scope.
If I try to specify only identity.membership as a scope, then when I use the access_token as Bearer token for further API requests, I keep getting errors like.

{
“errors”: [
{
“code”: 1,
“code_name”: “Unauthorized”,
“detail”: “The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn’t understand how to supply the credentials required.”,
“id”: “”,
“status”: “401”,
“title”: “Unauthorized”
}
]
}

So, the question, is there a way to have my patron logged in with his Patreon account into my mobile app, so I can validate that

1. The user is actually my patron
2. The user’s email is the same that was used for Patreon log in.

I need to do this as well! Waiting for an answer from Patreon Techs

In order to get the user’s email, your token must ask the email scope during authorization. Then specifically request the email in the call to /identity endpoint.

Also - avoid using emails for anything if the email is marked as not verified at Patreon.

The WordPress plugin has good examples on how to do all of that:

Hi @codebard , thanks for your reply.

Sorry, but it’s still not clear how to request the emails scope.

Here’s what I’m doing:

1. Open the web view with the request to the Patreon API

/oauth2/authorize?response_type=code&client_id=<my_app_client_id>&redirect_uri=<my_redirect_uri>&state=<my_identifier>&scope=identity%5Bemail%5D

Please notice the scope argument appended to the end.

2. After user authorises my app via Patreon, I get the code, which I use to get the access/refresh tokens.

3. When I try to fetch the simplest data by /api/oauth2/v2/identity and adding a header
   Authorization: Bearer <access_token_value>, I get the error:

{
    "errors": [
        {
            "code": 1,
            "code_name": "Unauthorized",
            "detail": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.",
            "id": "3875af77-c418-59dc-bae6-2499f354699a",
            "status": "401",
            "title": "Unauthorized"
        }
    ]
}

In case I don’t add the scope=identity[email] to the very first step, Patreon API doesn’t complain on the access_token I get, and I am able to fetch requested data.

P.S. Special thanks for the note regarding non-confirmed emails, I missed that use case.

For those, who is struggling with the same – I’ve managed to find out the workflow.

1. The initial request should be /oauth2/authorize?response_type=code&client_id=<my_app_client_id>&redirect_uri=<my_redirect_uri>&state=<my_identifier>&scope=identity%20identity%5Bemail%5D (please pay attention to the value of the scope parameter)

2. After user authorises our app in the web view, Patreon redirects to the <my_redirect_uri> with the code parameter. get the value and use it to get the access and refresh tokens via
   /api/oauth2/token endpoint.

3. To get the email of the patron, you should add a header “Authorization”: “Bearer <access_token>” (i.e. “Authorization”: “Bearer 123xyz456abc789”) and perform the request
   /api/oauth2/v2/identity?fields%5Buser%5D=email&include=memberships&fields%5Bmember%5D=patron_status

4. From the response to that request, you’d be able to find out if the logged in user is actually your patron, what is her or his email, and is the patron actually an active patron, or just a former one.

Problem solved!
cc @Urban_Griller

Thanks again @codebard for your help!

Yes, you must request the identity and identity[email] scopes separately. Good catch you found that out swiftly.

For anyone still puzzled, I’d like to add: the scope list must be SPACE separated, NOT COMMA separated like the field inclusion list parameters. It’s the difference between %2C and %20 in the encoded url.