I am trying to figure out how to comply with the API’s token validation requirements. From https://dev.twitch.tv/docs/authentication/validate-tokens: " the expectation is that your app should sign out the user and terminate the OAuth session"
How do you terminate a user’s OAuth session? I thought logging the user out on my application’s end would be enough, but I have run into some strange behavior. I logged into my application through twitch, and then manually logged out. After creating a new account which is not connected to twitch at all, the old twitch cookies including one called session still persisted in my application.
What you observed is you clicked the link to login with Twitch.
Twitch went “the connection is still active” and granted a new access token.
And it transparnetly authed
A full disconnect only occurs if the user goes ot their settings/connections page and revokes from there.
You would need to use force_verify to allow the user to switch accounts
Revoking the access token (or just not storing it at all and forgetting about it) is all you need to do here.
My application allows users to register with just an email and a password with no connection to twitch. When I created a new account, I was logged into my twitch account in the web browser, but I did not use the login with twitch button. Do you have an idea why the twitch cookies would persist? I am fairly new to web development, so I am not sure why Twitch’s cookies will show up on some routes in my website and not in others.
Regarding the expectations for how an application handles the user disconnecting an connection/integration, how would Twitch be able to differentiate between an application not storing and forgetting about an access token and an application storing but not utilizing an access token and not calling /validate as required every hour when auditing applications?
After some further investigation, I found that the twitch cookies were a result of embedding twitch into my application.
From Validating Tokens | Twitch Developers again: WARNING Twitch periodically conducts audits to discover applications that are not validating access tokens hourly as required. If your app shows up in an audit, Twitch will reach out to you to resolve the issue. If the issue is not resolved, Twitch reserves the right to take punitive action, such as revoking the developer’s API key or throttling the application’s performance.
Based on this warning, it seems like any application not in compliance would get a warning, and though of course I could follow’s Twitch’s specific recommendations/fixes after that happens, I might accidentally miss the warning email/message from Twitch. I am trying to implement the hourly validate calls, but I am having issues figuring out which users’ keys need validation as I am not sure what constitutes a user being in an OAuth session.
if the only think you do it Embed Twitch, there is nothing to validate.
The validating tokens thing only applies if you follow anything on Authentication | Twitch Developers to get an oAuth Token from a user.
From what you have written, it sounds like you do not do anything to get an oAuth token from a user, so there is nothing for you to validate or revoke.
I am getting an OAuth token from a user. I also embed Twitch on top of that which caused the confusion with the cookies, but I still have a login with twitch feature.
I am trying to implement these periodic checks, and I am currently going through all users logged in to my application and calling validate on their tokens. However, logging out of my application does not invalidate the tokens which makes sense as I am not calling revoke on the tokens at the moment. I do not want to have to call validate on every single logged out user, so is calling revoke on a user’s OAuth token that is being generated when the user logins with twitch enough to not have to validate on that user’s token (until they login to my application again of course)?
A users token normally obtained via a “normal” oAuth flow (which is code flow) only has 4 hours of lifetime on it.
So you only really need to validate if you are accessing users data when they are “offline” which occuers when you make an API request for that data anyway. (course you may have a refresh token to use here but if you don’t retain that you can’t use it anyway). And it sounds like since you don’t do user actions on behalf of the user when not using your app. And on login to the app you fetch a brand new token, you don’t need to validate tokens for logged out users, as it sounds like you don’t retain those tokens on file.
Yes if you revoke the token when they logout, you don’t have a token to use to validate with.
In my opinion:
So really, you only need to do a validate check when the user loads a page on your website, since if you don’t retain the users access token in a database and it’s only retained in session.
You’ll “lose” the token when the session expires, or the use logs out (as you destroy the session)