400 grant_type malformed on refresh

I’m trying to refresh my token in my c# application but I get an error 400 with

"{\"error\":\"Bad Request\",\"status\":400,\"message\":\"The parameter \\\"grant_type\\\" was malformed: value must be one of \\\"authorization_code\\\", \\\"password\\\"\"}"

The way I am doing the request is the same as getting the first authorization.
The code I’m using:

    private bool Reauthorize(string token, out string oicf, out string id)
        WebRequest request = WebRequest.Create("https://api.twitch.tv/api/oauth2/token");
        request.Method = "POST";
        request.ContentType = "application/x-www-form-urlencoded";
        byte[] buffer = Encoding.ASCII.GetBytes($"grant_type=refresh_token&client_id=dhpfs0eg1zy0u0dbp3mc90pa3px2dr&refresh_token={token}&client_secret=");
        byte[] scrtBuffer = ProtectedData.Unprotect(GetSecret(), new byte[] { 0, 1, 9, 2, 8, 3, 7, 4, 7, 5, 6, 3, 2 }, DataProtectionScope.CurrentUser);
        request.ContentLength = buffer.Length + scrtBuffer.Length;
        using (Stream requestStream = request.GetRequestStream())
            requestStream.Write(buffer, 0, buffer.Length);
            requestStream.Write(scrtBuffer, 0, scrtBuffer.Length);
            Array.Clear(scrtBuffer, 0, scrtBuffer.Length);
        WebResponse response = request.GetResponse();

Should be:

WebRequest request = WebRequest.Create(“https://api.twitch.tv/kraken/oauth2/token”);

According to: https://dev.twitch.tv/docs/authentication#refreshing-access-tokens

To refresh, use this request:

curl -X POST https://api.twitch.tv/kraken/oauth2/token 
&refresh_token=<your refresh token>
&client_id=<your client ID>
&client_secret=<your client secret>
1 Like

I missed that, thanks! Still don’t get why they use two different endpoints which are named the same but reside in different directories.

As a general advice, HttpClient instead of WebRequest

HttpClient uses strings, I like my sensitive data to not stay in memory for a random amount of time until the garbage collector decides it’s time to clean them up. (see the way the client_secret is handled).
If I’d done that I could just save it in plain text…

StreamContent is the answer. No strings attached.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.