How to obtain OAUTH for our app users?

We dont want users to have to go to a website with an oauth generator and have to copy and paste it into our app (which needs an oauth for chat/bot functionality). How can we retrieve it for them? From what I have read, the OAUTH can be extracted from the “OAUTH Redirect URL” after they log in with twitch credentials, but we cannot find it even after successful redirect after login. We have even tried adding the API 5 scope of “chat_login”.

You need to follow the oAurh dance documentation here

You need to redirect people to twitch
Then exchange the returned (query string (depending on method/token type)) code for an oAuth token

We are already doing the dance, and every thing works, except we don’t get back an OAuth token. We get an “access code” that doesn’t work, but the codes we get from the tmi OAuth generator DO work. Here is the code

let responseStr = “https://id.twitch.tv/oauth2/authorize?response_type=code&token+id_token&client_id=” + twitchCltId + “&redirect_uri=” + redirectUri + “&scope=chat_login+viewing_activity_read+openid+user:read:email+bits:read&state=” + randState;

// At the redirect uri:
if (req.query.state == randState && req.query.code) {
const code = req.query.code;
request({
uri: “https://id.twitch.tv/oauth2/token?client_id=” + twitchCltId + “&client_secret=” + twitchSecret + “&grant_type=authorization_code&redirect_uri=” + redirectUri + “&code=” + req.query.code,
method: “POST”,
timeout: 10000,
followRedirect: true,
maxRedirects: 10
}, function(error, response, body) {
// Todo: Validate the response id_token

            var jsonResponse = JSON.parse(body);
            var idToken = jsonResponse["id_token"];
            var accessToken = jsonResponse["access_token"];
            var refreshToken = jsonResponse["refresh_token"];

            var postUrl = "https://api.twitch.tv/helix/users";
            var options = {
                method: 'GET',
                url: postUrl,
                timeout: 10000,
                headers: {
                    "Authorization": "Bearer ".concat(accessToken)
                }
            };
            request(options, function(error,response,body){
                // Store in the db
                console.log("res: ", response);
                if(error) {
                    console.log("error in request", error);
                    res.send(error);
                    return
                }
                var jsonResponse = JSON.parse(body);
                var userData = jsonResponse.data[0];

Thats a interesting group of scopes and tokens.

I think the problem here is that you’ve reuqested this mixture.

  • chat_login - 99% of the time you probably shouldn’t be grabbing that
  • viewing_activity_read - This is for VHS, only certain devs have access to that
  • openid / user:read:email - save your sanity pull one of the other, if you are user:read:email then openid is redundant and you can drop the id_token from the request
  • bits:read No comment just completeing the list

There is a bug in your request:

let responseStr = “https://id.twitch.tv/oauth2/authorize?response_type=code&token+id_token&client_id=” + twitchCltId + “&redirect_uri=” + redirectUri + “&scope=chat_login+viewing_activity_read+openid+user:read:email+bits:read&state=” + randState;

Has response_type=code&token+id_token which is wrong

response_type should be one of:

  • code
  • token
  • id_token
  • token+id_token
1 Like

Thanks! Those things fixed it!

Outstanding.

What responseStr did you use in the end out of interest?

We used “code” and removed the redundancy you mentioned.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.