I am passing the user_read
scope to /oauth2/authorize
, and the scope is provided to the callback URL after authorization by the user.
But when retrieving an OAuth token, the scope array is empty, and I cannot use the returned token to read the user information. A call to https://api.twitch.tv/kraken
shows no scopes either.
On the other hand, this works with the implicit authorization flow.
EDIT:
Repro case:
- Create an application.
- Use the code flow to request auth with no scopes.
- Request auth with different scopes e.g.
user_read
. - No scopes are returned with the OAuth key.
- Delete the app from your Connections: https://www.twitch.tv/settings/connections
- Request auth with
user_read
scope. - OAuth key has correct scopes.
It seems that the scopes get “frozen” after auth is requested once, and the user has to delete the app connection to request more scopes.
Since my application originally requested no scopes, I could not request the user_read
scope. After deleting the app from my connections, it works.