[RESOLVED] API token invalidated when second client authenticates as same user

I’m testing a mobile app that uses the Patreon API, and I’ve noticed that every time I go through the OAuth flow on a device, other tokens for that user are invalidated (requests return 401). This means that, if a user has connected Patreon on one device and later connects Patreon (using the same Patreon account) on a second device, the first device no longer has access, and they must go through the process again.

I attempted to use the refresh token on a second device to reauthenticate without bothering the user, but the API returned “invalid_grant”, perhaps indicating that the refresh token had also been invalidated.

Is this expected behavior? Is there a way to use Patreon’s OAuth implementation to allow users to switch between devices and not have to manually re-connect to Patreon every time?

For anyone encountering this: I eventually got a response from Patreon via email:

The reason for this is that users can have one access token per client. We recommend storing the token in a central server using the web OAuth flow, and then pushing that token to the devices that need it.

I replied with this:

Thanks for the info. Is that restriction an intentional limitation (i.e. part of the OAuth standard), or a quirk of Patreon’s implementation? Is it likely to ever be relaxed?

As I’m sure you’re aware, in order to safely retrieve a user’s Patreon bearer token from my server, I’d have to build my own auth layer. Until this point, I have found it quite convenient to store the bearer token in the client and not worry about implementing my own user accounts just yet, because I only need the Patreon token to filter the content that my API user can access; the API itself is public.

Given that context, is there any alternative approach you would recommend?

and got this in response:

While it’s not part of strict OAuth standard, it is a practice that we’ve found most effective for keeping our users’ data secure.

We do not support device-based OAuth at this time, only the browser-based flow.

We would like to support device-based OAuth flows like what you’re suggesting, but sadly have no plans to do so right now. When we do, you can be sure we’ll be loud in our developer communities about the change.

1 Like