[SOLVED] Help automatically refreshing tokens?

I’m an Oauth newb, but I’m a fairly experienced PHP developer. I’m trying to make a page that automatically displays the names (first name and last initial) of our Patreon supports at a particular tier (like a “Thank You For Your Support” page), by querying them from the API. That way, if someone becomes a patron, they can immediately show up without us having to update the list manually.

I’ve made the script and it works perfectly… for a month. After that, the tokens expire and it doesn’t want to refresh them. I’m using code that I’m fairly confident should work, but I’m getting an "[error] => invalid_grant” response when I try to refresh the tokens.

Based on this comment (https://github.com/Patreon/patreon-php/issues/2#issuecomment-225395363) I think the answer might be that I’m not using the "Log in with Patreon” button, and getting the “code” response from it. Makes sense, because it’s just a PHP script and doesn’t use that button at all.

But the whole point of my implementation is that the user shouldn’t have to “log in” at all or “grant access”, it should just be a list of names for all to see. Will this concept not work with Patreon’s API design? Or is there a way to do what I’m attempting, without having to go through a permission button each time?

Thanks for your help!

I’m not from Patreon, but I’ve got a lot of OAuth experience.

The flow works like this:

  1. User ‘logs in’. This is a redirect to the OAuth server (Patreon), passing the Client ID in the URL. The user is asked by patreon if they give permission to access the data (aka log in). The user clicks yes.
  2. The user is redirected back to the origin site, with an authorization code in the URL. This code is an acknowledgement that Patreon has been granted permission by the user to supply the origin website with their data. So now the origin website must request an access token, using that authorization code. This is done through a POST request (not a redirect) to the OAuth (Patreon) server. The origin website sends it’s client ID to identify itself, it’s client secret to authenticate itself, and the authorization code to receive permission to get that user’s data. The OAuth server (Patreon) then returns an access token and a refresh token.
  3. When the access token expires, the origin server POSTS a request for a new access token, passing the refresh token to show previous authentication and permission. The OAUth server then returns a new access token and refresh token. This third step continues indefinitely, until/unless someone removes access etc.

Refreshing your token requires a POST request to:

POST www.patreon.com/api/oauth2/token
    &refresh_token=<the user‘s refresh_token>
    &client_id=<your client id>
    &client_secret=<your client secret>

Hi @Edgeworks! You’ll need to send the refresh request before the token expires, i.e. within a month of getting the token. Please feel free to reach out if you have more issues!