What I have learned about scopes

After spending 2 days wrangling with scopes, here’s what I have learned:


Don’t test Oauth with your main account

Your main account that you used to set up the client with, are given all scopes, regardless of what you provide in the “https://www.patreon.com/oauth2/authorize” url.

This means that parts of your application could break, as soon as you test it with a different account, even though your code is the same.


Scopes stays persistent to the account, even if you change the scopes

So if you first set the scopes as “identity identity.memberships”. Those two scopes will persist for the account even if you update the scopes to just “identity”.

This appears to be standard behaviour for Oauth, as YouTube does the same. However, it’s very confusing when you haven’t used Oauth before.

If you’re not aware of this behaviour, you may be tempted to reduce the scope to test if things break and then assuming that you don’t need those additional scopes.


You are able to revoke permissions, clearing the scopes

There is no API endpoint for this, but there is a setting for your patreon account.

You have to go to Settings > More > Connected Apps

Then look for your app and click Disconnect, followed by Revoke permissions.


The identity.memberships scope can not be used without identity

If you only use the"identity.membership" scope, when using the “https://www.patreon.com/api/oauth2/v2/identity” endpoint, you get the following error:

The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn’t understand how to supply the credentials required.

This happens to be a generic error, not specific to the Patreon API.

The confusing part is that the permissions for identity and identity.memberships overlap:

identity:
• View Patreon identity info, including full name, account status, and connected social accounts

identity.memberships:
• View Patreon identity info, including full name, account status, and connected social accounts and pledges, including status, amount, and history

This would make you assume that you only need identity.memberships.


What could Patreon do to improve the developer experience

  1. Add a flag for the authorize endpoint, such as “use_developer_scope=false”. This would not break existing applications, while ensuring that you can use your main account for testing. This should also be recommended in the documentation.

  2. Add a flag to the authorize endpoint, such as “override_scope=true”. This would result in more predictable behaviour.

  3. Either add an endpoint for revoking permissions or make it very clear in the developer documentation that this setting exists.

  4. Fix the backend issue as well as make the error list the exact scopes needed for the request you are attempting to make.

Your main account that you used to set up the client with, are given all scopes, regardless of what you provide in the “https://www.patreon.com/oauth2/authorize” url.

Yes, as that user is the creator who owns the campaign, s/he would have all the permissions to his/her own campaign.

You are able to revoke permissions, clearing the scopes

Yes, currently this is how it can be done. We dont provide a revoke endpoint at the moment, but its rather moot since any token that is not refreshed expires in 30 days.

The identity.memberships scope can not be used without identity
This happens to be a generic error, not specific to the Patreon API.

Yes, memberships derives from identity. The error involved is not a generic error, its a 401 not authorized for lack of scopes.

The confusing part is that the permissions for identity and identity.memberships overlap:

They dont really overlap, as memberships derive from identity, but the permission text for both are currently the same because of legal reasons. In near future one of them would be updated for more clarity.

Either add an endpoint for revoking permissions

That may be a good idea, yes.