Howdy all! I’m running into some issues when trying to use a grant_type refresh_token to retrieve an id_token from id.twitch.tv . Is this not a supported use case? I get a successful response from the oauth2/token endpoint, but the body does not include an id_token. Here’s the code (node.js + request) and output:
let params = {
client_id: client_id,
client_secret: client_secret,
refresh_token: encodeURI(refresh_token),
grant_type: "refresh_token",
scope: "openid",
response_type: "id_token+code" // not sure if required, or helpful??
}
let twitchTokenUrl = buildUrl("https://id.twitch.tv/oauth2/token", params)
console.log("posting: " + twitchTokenUrl)
request.post({
url: twitchTokenUrl,
json: true,
headers: {'User-Agent': 'My-Cool-Appname'}
}, (err, reqRes, data) => {
console.log("twitch token response")
console.log(data)
})
yields =>
posting: https://id.twitch.tv/oauth2/token?client_id=R3D4CT3D&client_secret=R3D4CT3D&refresh_token=R3D4CT3D&grant_type=refresh_token&scope=openid&response_type=id_token
twitch token response
{ access_token: 'R3D4CT3D',
expires_in: 13628,
refresh_token: 'R3D4CT3D',
scope: [ 'openid' ],
token_type: 'bearer' }
On the other hand, this flow works great and does exactly what I want when I provide an authorization_code from an authorize redirect flow instead:
let params = {
client_id: client_id,
client_secret: client_secret,
code: accessCode, // retrieved from a twitch authorize redirect page
grant_type: "authorization_code",
redirect_uri: "https://my_cool_redirect.uri"
}
let twitchTokenUrl = buildUrl("https://id.twitch.tv/oauth2/token", params)
console.log("posting: " + twitchTokenUrl)
request.post({
url: twitchTokenUrl,
json: true,
headers: {'User-Agent': 'My-Cool-Appname'}
}, (err, reqRes, data) => {
if (err) return reject(err)
console.log("got token from twitch:")
console.log(data)
}
yields =>
posting: https://id.twitch.tv/oauth2/token?client_id=R3D4CT3D&client_secret=R3D4CT3D&code=R3D4CT3D&grant_type=authorization_code&redirect_uri=https://my_cool_redirect.uri
got token from twitch
{ access_token: 'R3D4CT3D',
expires_in: 15797,
id_token: 'eyJh.R3D4CT3D._84A', // THIS is what I am missing when using grant_type refresh_token
refresh_token: 'R3D4CT3D',
scope: [ 'openid' ],
token_type: 'bearer' }
However, I’d like to avoid the authorize / redirect loop if at all possible, and just use the refresh_token to get a new id_token once it has expired; else I’m not exactly sure what the refresh_token or access_token is good for.
As a side note: is there a good reason why the id_token exp claim is not congruent with the access_token expires_in field?
Thanks!