App Access Tokens (which you get from the client_credentials flow) are the wrong type of token. They’re not associated with any particular channel as they are generated by an app.
You need a User Access Token, and the user for which you wish to access the private information of has to be the one to go through your OAuth flow and explicitly grant your app the permission to access data with the moderation:read scope.
Ok, this is much work for us, because we do not have a redirect url endpoint in our server.
But I still not get when the user has to grant permissions? I mean the streamer, who has installed the extension already needs to give our extension now permission for moderation:read, right? When will this show up?
Send the user you want to authenticate to your registered redirect URI
At which point are we doing that?
Do the streamers have to reinstall the extension?
We did not need the API till now, all informations we need are in the decrypted JWT token, except of this.
Once the user has installed your extension, you will need to create a link on the configuration page that will send them through your OAuth flow, and until they have done so you should restrict functionality to comply with extension guidelines (So you could still continue to display things, but anything that would require checking if the user is banned or not should be disabled until the broadcaster grants you permission).
I mean all we have to do is permit actions when a user is banned/timedout to comply with policy 7.5, but to get this information we have to implement all this mechanisms and even a “authenticated” flag now.
Is there maybe another way in the roadmap to do so? For example it would be nice to set a configuration in my extension console like “Deactivate my extension when user is banned”. This would be a easy way to comply with 7.5 policy. Twitch could also set this to default on, so when a user is banned/timed out the panel/component will be disabled. When there are really extensions who like to work even with banned users, they could set this option to off and do the handling on their own.
Basically, for subscriptions because the channel explicitly chooses to allow/deny an extension access to their subscriber list, you can use an App Access Token (which you can generate without a website, or any action from the user) to get that list of subscribers on that channel. For moderation though there currently is no toggle for a streamer to grant your extension that same functionality, so going through the full authentication flow is currently the only way.
If you want to see that feature added you can vote for that suggestion linked, as Twitch use that site to determine what features have highly requested and if there are valid use cases for them to be developed.