Patreon sends tokens (and client access grant?) twice in a row


#1

For some reason, if a user connects with my application via client access (Step 3 and 4 in the Patreon API Documentation), Patreon sends me the requested information often twice in a row a few seconds apart. This has lead to some confusion in my logs and database.

The first time Patreon sends me the correct Access and Refresh Token, and 2 seconds later I get another Access and Refresh token but it is simply empty without any error present.

I’m not sure if it has to do with my server. However, this has worked for some time now as this problem emerged only recently. Has someone experienced this problem too? Any suggestions?

Thank you!


#2

The OAuth consumer flow goes like this:

  1. You (“consumer”) construct a link that can be clicked which sends the user to the provider with your configuration (Step 2 in Patreon Documentation)
  2. The user clicks on the link and is sent to the provider with your configuration
  3. The provider determines if the request is valid based on the configuration
  4. The provider prompts the user to authorise the provider to have access to their account
  5. The provider generates a single use code behind the scenes that the consumer can use to request an access token
  6. The user is redirected back to the consumer with the single use code as part of the request (Step 3 in Patreon Documentation)
  7. The consumer sends a request to the provider with the single use code and in return receives an access token which can be used for future API requests on behalf of the user (Step 4 in Patreon Documentation)

For a Patreon implementation the steps are:

  1. A user clicks on your “Login with Patreon” button and is sent to the Patreon authorise page
  2. The user approves the authorisation
  3. Patreon generates a single use code and redirects the user back to your redirect_uri with the single use code in the code parameter
  4. You send a request to POST www.patreon.com/api/oauth2/token with the single use code
  5. Patreon responds to your request with an access_token and refresh_token
  6. You store these values and do whatever your application is designed to do, usually start a session that authorises access

At no point during this process does Patreon send anything to your server, rather, they redirect the user back to your website (to the redirect_uri) and then you make a request to Patreon asking for the access_token and refresh_token from the single use code which they provide in the request response. This means that it’s not possible for Patreon to send multiple requests to your server: once they redirect the user back to your website they no longer have control over the request.

You should start by debugging what happens after the user is redirected back to your website (once they land on the redirect_uri) as it’s possible you’re then redirecting them back to Patreon again (who are then redirecting them back to you without the single use code because they’ve already authorised your application) which is causing the second empty request. If this doesn’t help you identify the issue, please share the code you’re using so that we can help track down the issue.