Extensions requesting oAuth from viewers

Hi guys,

Just looking for some confirmation from the Twitch team in regards to Twitch extensions requesting oauth from the viewers (not within the config).

I’ve read numerous threads that are a few years old that cite

Extensions may not request or require OAuth permissions from extension viewers.

And the guidelines document https://dev.twitch.tv/docs/extensions/guidelines-and-policies/ however it doesn’t appear that line now features in the guidelines.

Does this mean we can now request oauth from viewers in extensions?

Hi @tom_dev, we do not have a policy restricting OAuth in an Extension for viewers. :+1:

Thanks @jbulava, do this mean from overlay extensions we’re able to redirect off to a separate oauth flow, redirecting back to the extension (i believe we’d have to redirect back into the extension EBS instead of directly back into the extension?)

Video/Component overlay extensions, at time of writing, cannot link out at all. (There are exceptions to this rule)

But yes the correct flow would be

  • Link out (making a new window)
  • Users clicks yes/no
  • User is redirect back to your EBS
  • EBS handles final steps of oAuth

@BarryCarlyon what would the exceptions be?

To give some context: we’d be optionally allowing users to oauth with our internal platform which allows preferences around games to be set and analytic tracking across the other applications they may be accessing the service from.

Borderlands 3 extension and Amazon Blacksmith have working Links on video extensions, I do not.

That’s the exception to the rule. (The Exceptions are entity’s not ways that other entities can link out).

@BarryCarlyon @jbulava ok so its more of just a “who you are” kind of thing.

Does this mean then unless we’ve got explicit permission from Twitch the above mentioned user flow for oauth wouldn’t get accepted as an extension?

If Twitch haven’t specifically allowed your video overlay or component view to have a whitelisted link, then that link will simply be blocked by the iframe. So your extension could maybe still go through review but the OAuth link in the video view will never work as it wasn’t whitelisted.

It also won’t work in testing/hosted test (may in localtest *citation not provided), so you extension would get rejected due to broken functionality.