Patreon oauth login stopped working


#1

45 minutes ago, the call at the very end of the oauth flow to fetch user details began throwing 401s. Nothing changed on my side, I’ve been using the same code for months now

I need a resolution ASAP.


#2

So I think I found the source of the issue but I’m still having issuesbug.

On https://www.patreon.com/portal/registration/register-clients when I clicked on my key for more details, it showed the Creator’s Access Token as expired. I refreshed it which generated a new creator’s access token

Unfortunately, this still has not resolved the issue and logins are still failing

feel free to login at https://www.pokebattler.com/user


#3

So development broke at the same time. It definitely seems like you broke something around 7:30pm pacific time.

Creating new client id and secrets for both dev resolved the issue. Prod I will know in a few minutes but I assume it will work as well.

This kind of problem is not acceptable for a payment provider. It also is not clear how to escalate issues.


#4

We are also seeing sudden failures on our OAuth endpoint without any code changes on this side.

We make a request like this: https://www.patreon.com/oauth2/authorize?scope=pledges-to-me%20users&state=…&redirect_uri=…&response_type=code&client_id=…

And now Patreon is redirecting to our callback url with an “invalid_scope” error.

Perhaps has there been a change to the accepted way to send multiple scopes in a request?


#5

I’m also experiencing this issue with my app Improved Initiative. The code I’m using to make the OAuth calls is viewable on github. Hoping for a resolution soon, let me know if I can provide any additional info.

Update: As @celandro discovered, creating new client ID and secrets seems to fix the issue. Interestingly, the new tokens are a completely different format from the old ones.


#6

i have also just noticed my login flow returning an error
Did this require deleting your existing client and creating a new one?


#7

Also completely broken here, any new users are created simply as ‘patreon_’ with no other info brought in, and the created user has no access to any content, regardless of the settings in the plugin.

Whatever you did a few hours back please reverse it :slight_smile:


#8

@codebard @tal Might wanna take a look at this.


#9

The only thing I can note is that the default scope changed quite radically, though I can’t find anything about this in the docs. I can’t find any documentation on scopes at all, actually.

I sort of hoped I would be able to access only /api/current_user with identity as scope, but I still get a 401. Seems like the type of major breaking change you’d tell your developers about…


#10

Seeing issues with patreon oauth here as well, which is quite urgent and preventing people from retrieving their rewards.


#11

Hey y’all. We’re looking into this and will hopefully have a fix out today. Super sorry this happened, and we’ll keep you posted.


#12

:heartpulse: love you phil


#13

I can confirm that this fixes the issue


#14

Hi all, we’re so sorry for this breakage. We did not intend to deploy breaking changes, especially without communication.

We believe we mitigated the issue but some weirdnesses from the falloff will still occur. I deeply apologize for what happened, we’ll be adding more safety guards to make sure such a thing will not happen again.


#15

We just solved all the weirdness and falloff.

I deeply apologize again, we’re gonna make sure this never happens again. If there are any issues you think are related to this, please comment here and we will look into them.


#16

What is the proper escalation path for this? How can we get this resolved earlier next time? At what time were you aware there was a problem?


#17

We were aware of it around 10 hours ago (at time of writing).
As for escalation paths, we do not yet have good channels to do it, but for now it is possible to get a hold of me personally via the unofficial API Discord channel (https://discord.gg/PcjZ7aF).

EDIT: We just made #urgent-help channel (direct link: https://discord.gg/dCvEWqY) that will ping me personally. We will monitor the usage and based on abuse levels, we could make it an official real time path that will escalate to our team.
This is considered an experiment and if we see any abuse we will be more reluctant to keep it


#18

I’ll join it. In general you may want to consider a status and incident history page like https://www.cloudflarestatus.com/

I’ll join the channel. I get alerted by my users very quickly. I had 2 alerts within an hour of downtime and could have alerted you about 8 hours before you found out about it


#19

Would this have affected the Patreon Wordpress plugin, preventing users from accessing pledge-locked content? Because I had a few reports of that and I am trying to track it down.


#20

Yep. If API goes down, every implementation which use the API go down…