Invalid Authorization Token

intoxicated_penguin · November 10, 2019, 9:44pm

I’m trying to get an access token after a user goes to the application authentication page saying they allow my app to use their info etc etc. Then it redirects the oauth request to my server, http://intox.us:8080/twitch_authorized/, where I then want to get an access code using the code returned. However, the code returned is giving me an invalid authorization code. Any idea why?
I’m trying to follow along with the OAuth Authorization Flow as specified by here I am using Postman to make a POST using the printed link to see the response easier.

app.get('/twitch_authorized/', async function(req,res){
    console.log(req.query.code)
    // now we need access token
    console.log(`https://id.twitch.tv/oauth2/token?client_id=${TWITCH_CLIENT_ID}&client_secret=${TWITCH_CLIENT_SECRET}&code=${req.query.code}&grant_type=authorization_code&redirect_uri=http://intox.us:8080/twitch_oauth/`)
})

BarryCarlyon · November 10, 2019, 9:46pm

You followed the documentation for a server to server token.

You need to follow the user token flow:

intoxicated_penguin · November 10, 2019, 9:51pm

I linked the wrong thing, I’m pretty sure what you linked is what I actually followed. When I make my post requests etc I am using the params specified by that.

BarryCarlyon · November 10, 2019, 9:51pm

Whats the URL you use to send the user to Twitch?

intoxicated_penguin · November 10, 2019, 9:55pm

https://id.twitch.tv/oauth2/authorize?client_id=t8wfy4c3pq9sqtna4bjytbmy9al17z&redirect_uri=http://intox.us:8080/twitch_authorized/&response_type=code&scope=user:read:broadcast

BarryCarlyon · November 10, 2019, 10:01pm

That looks correct.

The only error I see is in your OP you specify one redirectURI and in your last message, you use a different redirecURI.

So I don’t see any code issues here.

Your op code doesn’t have a res.send() so it’s just gonna hang there.

Is that all the code for that function/route?

intoxicated_penguin · November 10, 2019, 10:03pm

Well I send it to a different redirectURI because I want to do something different once I get the access token. Once I get the access token I want to get the person who authenticateds’ username so I can make a webhook to subscribe to the event of them broadcasting, so I want different code to run than in the /twitch_authorized/ route. I’ve got more code but it’s all commented out because I can’t do anything with the invalid token. Could I have just saturated my personal tokens or something so the new ones aren’t valid?

intoxicated_penguin · November 10, 2019, 10:11pm

Yeah that must’ve been it or something, after waiting a little bit it went through.

BarryCarlyon · November 10, 2019, 10:14pm

shrug

Multiple redirectURI’s is new. But in the token exchange you should use the same redirect_uri.

Steps are

someone comes to your site and hits login
You send some to Twitch, they accept the connection

They come back to you with a code, to the specified redirectURI in the outbound redirect/link, in step 2.
You use that code with the same ClientID and redirectURI to get an access token, via server to server HTTP Post (not a redirect to the token exchange URL).
Then you use the access token as you need to.

Thats it.

Theres no redirect after that, so you attempting to use two redirectURI’s in the flow doesn’t make sense here

system · December 10, 2019, 10:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.