Hello there,
I am experiencing an issue with the OAuth2 and especially the OIDC implementation.
The reason seems to be an invalid type of the scope value in the token response.
-
What is actually happening?
After getting thecodefrom a client, one will perform a POST request to the/oauth2/tokenendpoint.
The resulting response looks like this:{ "access_token": "redacted", "refresh_token": "redacted", "expires_in": 3600, "scope": ["openid"], "id_token": "redacted" } -
What is documented?
The dev.twitch.tv documentation [1] states, that the resulting response should look like this:{ "access_token": "redacted", "refresh_token": "redacted", "expires_in": 3600, "scope": "openid", "id_token": "redacted" } -
What should be happening?
According to RFC6749 section 5.1 [2] first of all the implementation of thescopekey-value is optional. It is only REQUIRED ([3]) when you actually grant more or less scopes than the user intially requested. However the value should follow the specs described in RFC6749 section 3.3 which would result in a space-seperated(!) value for thescope[3].
This issue has already been partly addressed by [4], however it has been thought to be in the wrong place (the documentation) while it actually seems to be an implementation issue.
The result of this implementation issue is a non conformity with the OAuth2 spec resulting in a non conformity with the OIDC specification and thus with some OIDC clients. I, in particular, experienced this issue with Red Hat Kleycloak.
Thanks,
Chris
[1] https://dev.twitch.tv/docs/authentication#oidc-authorization-code-flow-id-tokens-and-user-access-tokens
[2] https://tools.ietf.org/html/rfc6749#section-5.1
[3] https://tools.ietf.org/html/rfc6749#section-3.3
[4] Docs list incorrect type for oauth "scope" field