Let’s take patreon for example.
I have an app in patreon that lets me log a user in and view their subscriptions.
All I really care about is IDs. If I have a relationship with another Patreon creator, I want to allow them to have some benefits, so I look for that subscription in their profile.
I want to refresh this data when they log in, the login flow is perfect for it, and I’m already asking for the permissions I need.
The majority of my problem is that I’m running a serverless PWA site. I don’t want to pay the costs of a server… But most OAuth providers out there haven’t implemented PKCE so I cannot integrate with them directly on the glass (so to speak) and I don’t have any server to get redirected to.
But you guys do! AND you have a bunch of different social connectors!
It was great news until I heard about this.
I understand that I can make YET ANOTHER application and save those creds as secrets for actions and use client_credential flow to access apis during the login flow… but that API call is very different.
I won’t be able to make queries based on the person that logged in, only data in my account.
It really just seems to be way too complicated.
Now I read the justification posted elsewhere here that says those tokens belong to Auth0, but I respectfully disagree. Those tokens belong to the app I’ve defined in Patreon, and Auth0 are using those credentials for my in the connector. You do have some responsibility to protect them… on my behalf, but not prevent me from accessing them to shoot myself in the foot (I’ll try my best not to