OAuth2 implicit flow support?

#1

I am in the early stages of investigating whether it is possible to implement a completely static site with gated content based on Patreon pledges using static HTML for SEO that hydrates into a Javascript SPA for normal clients.

However, the current API docs only describe support for the OAuth2 Authorization Code Flow, which is inappropriate for a SPA since that makes the client ID and secret…not so secret. :wink:

Is it possible to communicate with Patreon’s API using the OAuth2 Implicit Flow (wanted to check in case it’s supported, but undocumented)? If not, please consider this a feature request.

0 Likes

#2

…so given the utter lack of response, I take it this isn’t currently possible. :upside_down_face:

To expand it as a feature request: I would love it if the API supported gathering a limited or obfuscated collection of data via the OAuth2 Implicit Flow. I don’t think it would be a good idea to expose user data (as the request could be coming from anywhere, so it’s hard to ensure the originator isn’t phishing or similar). However, if the API provided some type of non-identifiable information that allowed checking for pledge membership, that would be incredibly helpful.

There’s lots of ways you could approach this, but all that I would need would be some way to verify that the logged in user is a patron, given a campaign ID. Non-identifiable information such as the pledge details and/or monetary amount would also be incredibly helpful.

So an example flow would be:

  • User attempts to access protected content in SPA.
  • SPA directs user to Patreon OAuth login
  • After logging in, Patreon directs the user back to the SPA with an access token
  • SPA uses the access token to fetch however much of the user’s pledge information is available via the Patreon API (requested against a specific campaign ID, which I would need to gather beforehand via the full API or otherwise)
  • Optionally: after a short duration, the access token expires.

I would also be perfectly happy if the API returned completely non-identifiable information about the pledge (for instance, a hash representing the pledge rather than any information such as ID, pledge amount, etc.), as long as I could look up those hashes beforehand via the full API (for instance, when my app is building it could query the Patreon full API, gather all pledge hashes, and store them statically for the SPA to reference).

Thanks for considering this! I’m pretty sure I’m a fairly extreme edge case, but being able to enable pseudo-membership powered by Patreon on a statically hosted site would be amazing. :slight_smile:

0 Likes