Legality of extensions requiring viewers' OAuth permissions

Currently, the documentation states that extensions are not allowed to require any OAuth permission from viewers:

Extensions may not request or require OAuth permissions from extension viewers.

While this is simply not possible in video-overlay extensions because iframes and/or off-site linking is strictly forbidden, a link to a whitelisted not-Twitch site ist still possible in panel extensions.
I understand this OAuth requirement in such a way that an extension viewer should not require any other account on any other platform to interact with the extension, so basically every viewer can use the extension without limitations.

My question is:
Does this requirement only apply to OAuth/account login processes or is simply asking the user for any personal or account information prohibited?
Examples for non-OAuth but still somehow information-requiring extension processes would be:

  • A viewer/broadcaster matchmaking extension needs to know the viewer’s game nickname/account identifier to connect everyone to the same game server.
  • A loyality (!) extension needs to know the viewer’s Steam identifier or trading token to send or donate (not request!) items to the viewer.
  • A game-related extension wants to compare stats of the broadcaster with the viewer’s performance and needs to know the viewer’s game account name.

These are all examples where viewers’ personal data is required but which can be implemented by simply asking for text instead of a full OAuth workflow.

I just cannot see anything in these ideas that affects Twitch in a negative way and it would be cool to have a clear statement if examples like these are allowed or not.
Something like “extensions like these would most likely pass the review” is also good enough for me I guess.

2 Likes

This is huge. You guys are nuking the functionality of extensions by not allowing OAuth. Rather than being a way for streamers and developers to work together to massively extend the functionality of twitch, they’re artificially limited to just being toys.

I believe that applies to the Twitch API, not other API’s such as Steam. The statement in the docs is unclear, but we need an answer from upstairs…

1 Like

Hey Ceptoplex - Product Manager for Extensions here!

Requesting a viewer share some information to power your extension is acceptable - your example of an extension requesting the viewer’s account name in text within the extension would be fine. The oauth restriction is specifically for permission-granting flows for offsite services.

Our policies are designed to protect our users. This is an area where we want to start out conservative and once we have a better understanding of how people are using extensions, we can revisit the details of the policy. Please do let us know if the policy or product is not allowing you to do something that you think would be really cool - extensions are your product, and we want it to work for you!

1 Like

Hi Diogee - thanks for dropping in with the official response. I am not OP, but I was planning to build a donation Extension using the Steam API to donate Steam items (CS:GO skins, TF2 items, etc).

There would be some config to allow the streamer to either enter their Steam ID or simply enter their trade link. The viewer would then authorise through Steam in order to access their backpack and ultimately make the trade offer. Is this something you don’t foresee ever being allowed?

Thanks @Diogee for the detailed statement, I really appreciate that.
I think the current guidelines will fit at least my needs, but I can also imagine that the addressed specification of the rules can be necessary at some point in the future.

@tf2casperr Of course your post also discusses the third-party OAuth limitation, but I think that your idea in particular is also more of an issue with other parts of the guidelines, like e.g. …

Extensions may not transact or encourage the transacting of monetary exchange in relation to any non-Twitch/Amazon commerce instruments.

… depending on Twitch’s valuation of Steam asset/item trades being monetary exchange or not.

Hey @ceptoplex, thanks for bringing that second restriction to my attention. I do remember reading it, but didn’t cross my mind that Steam trading would violate it. Now that you mention it I can definitely see how Twitch may consider it against that particular rule, so the official response on that will be much appreciated.

A loyality (!) extension needs to know the viewer’s Steam identifier or trading token to send or donate (not request!) items to the viewer.

If you don’t mind sharing - how were you thinking of achieving this without OAuth taking place? I am aware of the ability to create a trade offer link, but how would that enable the donor to choose items or anything like that from within the Extension?

I am aware of the ability to create a trade offer link, but how would that enable the donor to choose items or anything like that from within the Extension?

In that example the viewer only receives items from the extension, he does not give any to the extension.
Therefore the user does not have to authorize himself but only provide the trade URL so the extension can actually transfer anything.
Hope this helps?

In that example the viewer only receives items from the extension, he does not give any to the extension.

The viewer would not be receiving items in the donation flow, the streamer would. An Extension would not be required for the streamer to provide a donation, you can just put that in a regular panel. Were you imagining any functionality beyond a way for the streamer to display their trade link which then redirects the viewer to the trade interaction on a Steam URL?

Obviously, we’re talking about different things.

I tried to explain what my example was about: A loyalty extension that rewards viewers by donating items to them. You seem to keep asking me about implementation details for a viewer-to-streamer donation extension which is not what my example was about. So I am sorry, I cannot give any clarification for that because it’s something different. Of course for the thing you keep asking about some kind of viewer authentication is required.

You may as well want to create a new topic for that or continue the conversation outside this thread before it gets too off-topic if you want to know more about the way to go for the extension you are looking to build. :slight_smile:

So we can neither request Twitch API or Steam ID oAuth? Granted both would need to fire a popup or link offsite which is all the things extensions want to prevent.

It would also seem that we can’t suggest to users to “go to the broadcasters forum/website” to link these accounts together either, (my first extension was blocked due to a link to the broadcasters own website even though when I explicitly asked “someone at Twitch” if that was ok, I was told it was, but thats a different story altogether).

Either way it’s a tough dimension to work in (300px x 500px) so I’d probably never shove oAuth in there but I would direct to the EBS/backend service in order to provide a way for users to link accounts, which ought to be permitted under the “needs to do this in order to function” rule. But I have ways around this rule, since we’ve been sending people offsite from chat for ages to link accounts… So I have a fair tonne of steamID’s on file for $caster_viewers

I’m not saying allow us to fire popup’s whilly nilly, but allow us to send users off Twitch to the EBS and back.

Hello, I have a similar issue right now and I hope to get an answer on whether this is allowed or not.

For an extension I need the streamer to authenticate with Bungie using oAuth 2.0. As this is not possible using the config portion of the extension, I plan to use a self-hosted setup-site which will put the needed tokens in my EBS’s database. I use this on the EBS side to query and cache Destiny 2 data that I will then provide to the extension’s front-end.

Is this allowed?

It is allowed in the config.

oAuth is NOT allowed for VIEWERS. But is allowed for Broadcasters in the Config.

Extensions may not request or require OAuth permissions from extension viewers.

Oh! That’s good news. Thank you for clarifying :slight_smile:

Just remember to put the oAuth destination/portal URL in the config whitelisted URL’s list

1 Like