For anyone (like me) confused about the origin of that statement, it’s here: https://www.patreon.com/portal/start/oauth-explained
While many people are familiar with OAuth from things like “Login with Facebook”, it’s important to note that Patreons Implementation of OAuth is not intended to serve as an authentication layer for third party services, but rather as a way to “Connect” one’s Patreon user details to a preexisting account on third party services.
Restated simply, don’t use Patreon OAuth as the primary login mechanism for your site, only as a way to Connect a users Patreon profile to a user profile on your site. Doing otherwise will create very serious security vulnerabilities on your site.
I don’t think that statement is particularly fair. Although true that OAuth is not an authentication protocol, it is used that way by most popular implementations and the common attack vectors are dealt with by any sensible OAuth server. The Patreon OAuth server requires whitelisting of redirect URIs, it supports passing
state to prevent CSRF attacks, and each
authorization_code is bound to a client to prevent injection attacks: the very serious security vulnerabilities are mitigated.
I suspect that statement was written when the Patreon platform was brand new and didn’t have any of the attack vectors mitigated, and hasn’t been updated since. Alternatively, whoever wrote that statement is an OAuth purist… but in that case everything is about compromise. This is much like writing “Accepting user input will create very serious security vulnerabilities”. That’s absolutely true, user input can cause all sorts of issues, but you can mitigate those issues with tried and true methods. Sure, in an ideal world you would never accept user input because it’s an attack vector but in the real world you probably need to accept user input… so you compromise and accept it, with the appropriate mitigations.
I’m not a security professional so perhaps there’s an aspect of this that I’m missing and I am happy to be corrected but based on the typical OAuth attack vectors (which you can read about in various blogs), and the fact that they’re mitigated by the Patreon OAuth server, I am pretty confident in suggesting you can use Patreon as your primary login mechanism without exposing yourself to major security vulnerabilities.
You can read more about OAuth not being an authentication protocol on the OAuth website, which covers aforementioned security vulnerabilities: https://oauth.net/articles/authentication/