Twitch OAuth returning stale scopes when using Authorization Code Flow

In our application we ask for minimal scopes (user_read) when we authenicate users, but for certain users we want to get additional permissions.

Recently we stopped being able to retrieve additional permissions via the oauth2 Authorization Code Flow.

I have an example application running here: https://rocky-cliffs-76630.herokuapp.com/

Source code is here: https://github.com/lpetre/twitch-auth-issue/tree/master#issue

We’ve had to stop trying to request additional scopes in our live app due to this issue. We believe something in the API changed on December 10th.

The Implicit Grant Flow does not appear to have the same issue.

Any assistance would be appreciated.

I might be having a related issue: No scopes are returned after POST /oauth2/token

Except I cannot access any scopes, even ones requested initially. Again, it works with the implicit flow.

EDIT:
I have a repro case:

  1. Create an application.
  2. Use the code flow to request auth with no scopes.
  3. Request auth with different scopes e.g. user_read.
  4. No scopes are returned with the OAuth key.
  5. Delete the app from your Connections: https://www.twitch.tv/settings/connections
  6. Request auth with user_read scope.
  7. OAuth key has correct scopes.

It seems that the scopes get “frozen” after auth is requested once, and the user has to delete the app connection to request more scopes.

Thanks for the report! This should be fixed. Let me know if it isn’t.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.