Getting either a CORS issue or a Cloudflare challenge when trying redirect to authorize with OAuth2?

I am trying to redirect a user to login with their patreon and to obtain the code needed to retrieve their access token by using the following code in python (flask framework):

 auth_url = 'https://www.patreon.com/oauth2/authorize?response_type=code&client_id=' + client_id +'&redirect_uri=' + redirect_url
 redirect(auth_url)

When I try this I am getting a CORS issue on the frontend.

So then I tried this instead:

  auth_url = 'https://www.patreon.com/oauth2/authorize?response_type=code&client_id=' + client_id +'&redirect_uri=' + redirect_url
  return(requests.get(auth_url, allow_redirects=True).text)

which gives me a Cloudflare challenge page (without the CAPTCHA visible, so its essentially unusable) instead of the Patreon login page when the html/css/javascript text that is returned is loaded in the browser.

Any help would be really appreciated, I understand the Patreon API does not support CORS client side, but the redirect (302) is occurring server side, so the first should work correct? And in case the first doesn’t work, why is the second one asking me to deal with a CAPTCHA challenge (which is not fully visible)?

Thanks for the help in advance!

Are you loading or using any scripts in an iframe during the process? Or any 3rd party site or a domain not related to your app kicks in during the process?

For the frontend I am not using any iframes, but I am using jquery and bootstrap, just standard cdn links in script tags to their javascript libraries but nothing else. In terms of the backend, no there are no 3rd party sites/domains interfering.

Anyone have any thoughts?

Is the redirect that is happening a full redirect to a given url at the same domain/subdomain where your app is?

It’s just to localhost during testing, so I think yes? Feel free to correct me if i’m wrong. Thanks for the help by the way.

This is all I’m trying to do -

auth_url = ‘https://www.patreon.com/oauth2/authorize?response_type=code&client_id=’ + client_id +’&redirect_uri=’ + redirect_url

Followed by either:

return redirect(auth_url)

OR

return requests.get(auth_url).text

Shouldn’t at least one of these work?

Redirect uri is rather important. A value like localhost may not work. You can try setting up some test setup somewhere that is accessible via a subdomain or any domain and see if this provides a better result. Ie, you can try to get a developer setup that is not at localhost going.

Changed the redirect url, still same problem, getting a CORS issue when doing the following in flask on the backend:

redirect(“https://www.patreon.com/oauth2/authorize?.…”)

this is the result that shows up in the console tab on Chrome

Access to XMLHttpRequest at ‘https://www.patreon.com/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>’) from origin ‘null’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I’m using a url that is an actual FQDN of a domain I own, but Im still experiencing the same issue.

Is this being returned by your flask app or dev installation, or from Patreon?

That is being returned from Patreon inside my chrome browser. Because I was stuck I switched up my code to just execute:

resp = requests.get(“https://www.patreon.com/oauth2/authorize?response_type=code&client_id=” + client_id + “&redirect_uri=” + redirect_url)

and its sending me a captcha challenge now (no chrome error/ flask error or any error on my side, just a captcha challenge webpage with html/etc being returned in the resp object, that my backend obviously cannot process). Any idea why a simple authorize is asking me to solve a captcha?

EDIT: tried adding a user agent to the headers as recommended in other posts and it’s still not working. Also, I tried contacting @Jackie_Bow about this and I haven’t received any response in months. Can you please help link me with the team somehow?

Jackie is not with Patreon since a while.

If user agent addition did not fix it, try to make a call via a server instead of making the call from inside chrome. A normal browser may be interpreted as spammy.