Auth flow confusion (extended or rather resolved?!)

Ok guys, I think you might need to help me out here again!
(As you already did a couple of times so excellently, so thanks a lot in advance for it!)

However, yesterday I stumbled over this thread, which exactly states my problem:

Even though I am able to make the technical process work (login, allowing, redirecting etc.etc.) I have the wish to understand it thoroughly, so if you could help me out here?!

To give some background information: I have a bot and a “chat rewarding” system. Given a user is a sub the “rewarding” should be higher than for normal viewers.
So far so good.

In the above mentioned thread, user Dist wrote:

Dist:
What do you mean by using a client id and secret from the channel? Client ID’s/secrets aren’t part of a channel, they come from an app which has no relation to any specific channel. I just want to make sure you’re using the correct auth flow[…]

And TreZco replied with:

TreZco:
Thanks for mentioning it, this struck me a day after. I was actually generating an app access token without thinking about it. With a client token it’s all good, thank you!

Unfortunately it hasn’t struck me yet :confused: ^^.
How am I able to differentiate when which auth flow has to be used?
Please, don’t tell me only “when user, …/when app”. Tell my HOW am I able to see this myself(In the docs, the API, anything)?! What information have I missed?

Especially at the very beginning https://dev.twitch.tv/docs/authentication/ there is

“[…] which enables your application to take actions on behalf of a Twitch account or access certain data about a user’s account.”

So for me that means, when I want to have an information about a user/channel (e.g. if a user is subscribed to my channel) I can create an app (my bot) that checks (when a user enters my chat) if he/she is subscribed to my channel. But as it seems this does NOT work with app access tokens?!

Further down it is stated that:

(App access tokens)
Authenticate your app and allow it to access resources that it owns. Since app access tokens are not associated with a user, they cannot be used with endpoints that require user authentication.

Doing a google search on “user authenticate” of site: https://dev.twitch.tv/docs/authentication/

Led to the following which also describes the same problem (confusion) with a solution (thanks TheElm):


and as it seems I might not be the only one being confused (in addition I haven’t found more “user authentication” within the API which is also causing some of my confusion.

However, how are you guys and girls are able to figure that out yourself?
Why isn’t (on every request) stated: “user authentication required”/“no authentication required”…etc.?!
Should I/are you(?) be able to “guess” it depending on the case that I think it might be a user related information? Or is it a “trial and error thing”?! How do you make it?

Thanks a LOT for your response!!!

Just like what you quoted says, App tokens are not associated with a user so can only be used for server to server requests.

What this means is that ANY endpoint requiring a scope MUST require a User token because users are the only ones that can agree to scopes.

Even if you did try to generate an App token with scopes on it, they don’t do anything because App tokens aren’t associated with a user. For example you link a thread about subscriptions, if I generate an App token with channel:read:subscriptions scope, that doesn’t give me access to any subscriptions because it’s not tied to a channel, meaning there’s no channel that I could look at the subscriptions of anyway. I could give it the chat:edit scope which a chat bot would use… except that because it’s App token it wouldn’t have a username so can’t login and send to chat.

If you’re making any request on behalf of a user, needing to look up the user associated with a token, or are making any request that requires scopes you need a USER token. If you are making a request that you could otherwise make with just a client-id, but you want increased rate limits you need an APP access token (the only exception to this is the Get Webhooks Subscription endpoint, which REQUIRES an app access token for security reasons).

I hope that clears things up.

1 Like

99% of the time you only ever need to use

If a endpoint requires a scope, then it needs auth.

If it lists no scopes then it doesn’t

Some end points (users) will accept a userID, or tell you the user for the Auth you specified. (So the userID is optional and the error code tells you what to do)

Interrupt for Users eaxmple

A call to https://api.twitch.tv/helix/users

  • with only a ClientID will error
  • with a user oAuth will give you the user that the oAuth belongs to
  • with a clientID and a id (or login) will give you the user you asked for
  • with a user oAuth and a id (or login) will give you the user you asked for
  • with only a server oAuth with error
  • with a server oAuth and a id (or login) will give you the user you asked for

Onwards

BUT, all end points that DON’T require an oAuth, you can still specify either a user oAuth (with scopes) or a Client Credentials oAuth to benefit from higher Rate Limits

TLDR: make a request to an end point, read the error message if you get one. (if the docs for that endpoint are unclear)

OR

Join us on discord and ask Support | Twitch Developers

Hopefully that helps a little?

1 Like

Thanks a lot! Both of you, especially on having a read through my thoughts. I might give a second try of understanding after a night and consider to mb join you on discord!
Thanks so much for the support!

p.s. The scope hint is actually a VERY good, well not indicator, but point to know when or when not use user tokens as both of you pointed out! I hope this might also help others. So far thanks a lot and as mentioned before I try to thoroughly understand it after a break!! :+1:

Ahhhhh. So it means that I (as the channel owner?) has to allow my app the scope it is requesting (or kinda grant it)?! I think what might have been confusing to me is that as I(!) created the app and was therefore thinking it (is) associated with my channel anyways?! (stuipd? no? ^^)

So maybe I should change my perspective from a “dev for my channel” to a more general developer perspective?! That might do the trick… thinking

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.