OAuth | Notion

Overview

The purpose of having OAuth details on an SSS feed is to allow the feed to contain exclusive content.

The technical problem OAuth helps us solve is that creators upload their content to a Hosting Provider (eg: Taddy Ink), but consumers use a different app (eg: Inkverse) to view content. Therefore, if a creator wants to have exclusive content that is only available to their Patreon backers, how do Taddy and Inkverse work together to verify that only paid users can access exclusive content? We use an OAuth workflow to do so.

Taddy Ink (Hosting Provider) and Inkverse (Client App) are used as examples but can be replaced with any alternative conforming to the SSS open specification.

Our OAuth workflow can be summarized as OAuth with one additional step. That one additional step is to make one more request to get a content token. The content token gives you access to content for a specific comic.

<aside> 💡 Follow along with this example:

Our Test comic, Larry’s Lullaby, is free to read. However, to access the latest 3 episodes of the comic you have to be a Patreon backer of Daniel Mathews ($1 tier, but there is a 7 day free trial). Follow the steps below to be able to view the latest 3 episodes:

Sign up as a developer. Then, go to the Taddy OAuth section to create a client application (including adding your application name, logo, and callback URL).
Open a new tab, in your browser and go to patreon.com. Log into your Patreon account. Next, go to Daniel Mathews’ Patreon account and click ‘Join for free’ to become a free Patreon backer. (This will give you exclusive access to last 3 episodes of Larry’s Lullaby)
Use the authorizeUrl (see Taddy’s OAuth details below) and read the authorizeUrl documentation below to format the required URL parameters appropriately (Step 1 of OAuth).
Make a POST request to the tokenUrl endpoint. Use the authorization code you got in Step 1 along with your client secret to get an access and refresh token (Step 2 of OAuth)
Make a POST request to the newContentTokenUrl endpoint. Use the access token you got from Step 2 and the comic series uuid to get a content token for exclusive content from this series.
Now that you have a content token, you can append that content token to view any of the images in exclusive episodes. Append using the url parameter: ?token=contentToken. Paid episodes and will have scopesForExclusiveContent:["patreon] property.

oauth: {
  signupUrl: '<https://taddy.org/developers/signup>',
  authorizeUrl: '<https://taddy.org/fans/authorize>',
  tokenUrl: '<https://taddy.org/auth/oauth2/token>',
  newAccessTokenUrl: '<https://taddy.org/auth/oauth2/new_access_token>',
  newRefreshTokenUrl: '<https://taddy.org/auth/oauth2/new_refresh_token>',
  newContentTokenUrl: '<https://taddy.org/auth/oauth2/new_content_token>',
  instructionsUrl: '<https://taddy.org/developers/instructions>',
  publicKey: '-----BEGIN PUBLIC KEY-----XYZ----END PUBLIC KEY-----'
},

Important notes for the Example above:

Larry Lullaby’s creator uses Taddy Ink to host their comic. The creator is trusting Taddy Ink to verify that any user who gets access to their exclusive episodes has verified themselves as a Patreon backer.
Your app needs to get a token to access exclusive content. To do so, the fan must verify with ‘Login with Patreon.’ on Taddy Ink’s website.
Your app doesn't need to implement Patreon OAuth, that is done by Taddy Ink.
The exchange and access tokens your app gets back from Taddy Ink are tokens for Taddy Ink, not Patreon. In the future, we may implement more payment platforms like Patreon.
Once you have a content token, you can view exclusive episodes by appending it to any image URLs that require a token to access them. </aside>

OAuth Properties

Endpoints needed for the OAuth workflow

`Property`	`Type`	`Description`
signupUrl	String	The url to sign up for a client_id and client_secret
authorizeUrl	String	The 1st step in OAuth. The url to get an authorization code.
tokenUrl	String	The 2nd step in OAuth. The url to exchange an authorization code for an access token and a refresh token.
newAccessTokenUrl	String	Once you have a refresh token, you can exchange it for a new access token
newRefreshTokenUrl	String	Once you have a refresh token, you can exchange it for a new refresh token
newContentTokenUrl	String	Once you have an access token, you can exchange it for a new content token
instructionsUrl	String	Additional instructions from the Hosting provider.
publicKey	String	Public Key from the hosting provider you can use to verify that all tokens are from them.

signupUrl

The URL to sign up and get a client_id and client_secret and register your callback_url. See instructionsUrl if you need more instructions.

authorizeUrl

The 1st step in OAuth. Send the end user to this URL address to verify they have paid for exclusive content.

Example of what an authorizeUrl looks like eg) Taddy Ink

Append these URL parameters to the authorizeUrl: