[SOLVED] Help automatically refreshing tokens?

I’m an Oauth newb, but I’m a fairly experienced PHP developer. I’m trying to make a page that automatically displays the names (first name and last initial) of our Patreon supports at a particular tier (like a “Thank You For Your Support” page), by querying them from the API. That way, if someone becomes a patron, they can immediately show up without us having to update the list manually.

I’ve made the script and it works perfectly… for a month. After that, the tokens expire and it doesn’t want to refresh them. I’m using code that I’m fairly confident should work, but I’m getting an "[error] => invalid_grant” response when I try to refresh the tokens.

Based on this comment (https://github.com/Patreon/patreon-php/issues/2#issuecomment-225395363) I think the answer might be that I’m not using the "Log in with Patreon” button, and getting the “code” response from it. Makes sense, because it’s just a PHP script and doesn’t use that button at all.

But the whole point of my implementation is that the user shouldn’t have to “log in” at all or “grant access”, it should just be a list of names for all to see. Will this concept not work with Patreon’s API design? Or is there a way to do what I’m attempting, without having to go through a permission button each time?

Thanks for your help!

I’m not from Patreon, but I’ve got a lot of OAuth experience.

The flow works like this:

  1. User ‘logs in’. This is a redirect to the OAuth server (Patreon), passing the Client ID in the URL. The user is asked by patreon if they give permission to access the data (aka log in). The user clicks yes.
  2. The user is redirected back to the origin site, with an authorization code in the URL. This code is an acknowledgement that Patreon has been granted permission by the user to supply the origin website with their data. So now the origin website must request an access token, using that authorization code. This is done through a POST request (not a redirect) to the OAuth (Patreon) server. The origin website sends it’s client ID to identify itself, it’s client secret to authenticate itself, and the authorization code to receive permission to get that user’s data. The OAuth server (Patreon) then returns an access token and a refresh token.
  3. When the access token expires, the origin server POSTS a request for a new access token, passing the refresh token to show previous authentication and permission. The OAUth server then returns a new access token and refresh token. This third step continues indefinitely, until/unless someone removes access etc.

Refreshing your token requires a POST request to:

POST www.patreon.com/api/oauth2/token
    ?grant_type=refresh_token
    &refresh_token=<the user‘s refresh_token>
    &client_id=<your client id>
    &client_secret=<your client secret>

Hi @Edgeworks! You’ll need to send the refresh request before the token expires, i.e. within a month of getting the token. Please feel free to reach out if you have more issues!

Sorry to open up this old thread but I’m having exactly this same problem. I’m doing exactly what Jaypan has suggested but still getting invalid grant back from the API server. My access key has not yet expired (although it’s only a day old, so perhaps that’s a problem?).

Is there a minimum refresh interval that would generate an invalid_grant if the access key is not yet in need of a refresh?

Otherwise, am I doing something wrong? I don’t want to deploy my code to a live server when it might break in a months time :slight_smile:
Thanks for any help anyone can provide!

1 Like

I don’t think this has been fixed, trying to refresh a token always gives the “invalid_grant” error, no matter if it’s been a month or not

If it has been a month, the token may already have expired. Does this happen when you try to refresh it within ~3 weeks etc?

I was having a similar problem until I discovered that Patreon’s refresh tokens are single-use. When requesting fresh tokens, be sure to update both the access_token and the refresh_token for later use.

To answer specific questions above, I am able to immediately request fresh tokens using a new refresh token. If I use the same refresh token a second time, I get the invalid_grant response.

1 Like