Cannot get banned users - Forbidden 403

Hi,

because we have to comply with the new twitch policy we need to know if the user is banned/timedout for our extension.

As far as I understood, we need to get this information on our own by using the:

https://dev.twitch.tv/docs/api/reference#get-banned-users API

But to use this API we need a token with the moderation:read scope.
We can get this token like this:

So I have two curls:

Firs getting the token with OUR_ID and OUR_SECRET.

curl -X POST “https://id.twitch.tv/oauth2/token?client_id=OUR_ID&client_secret=OUR_SECRET&grant_type=client_credentials&scope=moderation:read

This seems to work I get the answer (MY_TOKEN is the generated token) :

{“access_token”:“MY_TOKEN”,“expires_in”:4961206,“scope”:[“moderation:read”],“token_type”:“bearer”}

Now I use MY_TOKEN and OUR_ID to make the API call for banned users for a channel:

curl -H ‘Client-ID: OUR_ID’ -H ‘Authorization: Bearer MY_TOKEN’ -X GET ‘https://api.twitch.tv/helix/moderation/banned?broadcaster_id=241303739

But I always get:

{“error”:“Forbidden”,“status”:403,“message”:""}

What am I missing here?

Thanks
Ringo

App Access Tokens (which you get from the client_credentials flow) are the wrong type of token. They’re not associated with any particular channel as they are generated by an app.

You need a User Access Token, and the user for which you wish to access the private information of has to be the one to go through your OAuth flow and explicitly grant your app the permission to access data with the moderation:read scope.

The Auth Code Flow docs will guide you through the process: https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-authorization-code-flow

Ok, this is much work for us, because we do not have a redirect url endpoint in our server.

But I still not get when the user has to grant permissions? I mean the streamer, who has installed the extension already needs to give our extension now permission for moderation:read, right? When will this show up?

Send the user you want to authenticate to your registered redirect URI

At which point are we doing that?

Do the streamers have to reinstall the extension?

We did not need the API till now, all informations we need are in the decrypted JWT token, except of this.

Once the user has installed your extension, you will need to create a link on the configuration page that will send them through your OAuth flow, and until they have done so you should restrict functionality to comply with extension guidelines (So you could still continue to display things, but anything that would require checking if the user is banned or not should be disabled until the broadcaster grants you permission).

Wow, this is very complicated.

I mean all we have to do is permit actions when a user is banned/timedout to comply with policy 7.5, but to get this information we have to implement all this mechanisms and even a “authenticated” flag now.

Is there maybe another way in the roadmap to do so? For example it would be nice to set a configuration in my extension console like “Deactivate my extension when user is banned”. This would be a easy way to comply with 7.5 policy. Twitch could also set this to default on, so when a user is banned/timed out the panel/component will be disabled. When there are really extensions who like to work even with banned users, they could set this option to off and do the handling on their own.

Or just put a banned=true/false in the JWT token.

There is a Uservoice feature request for moderation to act the same way as subscriptions https://twitch.uservoice.com/forums/310213-developers/suggestions/39910141-copy-subscription-support-for-channel-moderation-s

Basically, for subscriptions because the channel explicitly chooses to allow/deny an extension access to their subscriber list, you can use an App Access Token (which you can generate without a website, or any action from the user) to get that list of subscribers on that channel. For moderation though there currently is no toggle for a streamer to grant your extension that same functionality, so going through the full authentication flow is currently the only way.

If you want to see that feature added you can vote for that suggestion linked, as Twitch use that site to determine what features have highly requested and if there are valid use cases for them to be developed.

1 Like

@Dist
Thanks for your help!

I will check this out.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.