Non-standard parameters in http response for response_type=token on Authorize

melroy.drego · February 8, 2023, 2:43am

On opening this URL via my app (response_type=token)
https://id.twitch.tv/oauth2/authorize?response_type=token&client_id=" +TwitchClientID + “&redirect_uri=http://localhost:3000&scope=” + urlEncodedScope + “&state=” + UUID()

, the user gets taken to the Authorize form (seems the Twitch system cache authorization? because after the first Authorization click, subsequent requests simply return a response, which is where my problem begins:

I receive a response looking like this:
http://localhost:3000/#access_token=q32rc9bvde6h5zw7f1m0cwcic00r1m&scope=channel%3Amanage%3Apolls+channel%3Aread%3Apolls+channel%3Amanage%3Aschedule&state=02745790-f1c2-48b7-98e1-fe58e11c74a4&token_type=bearer
Please note the “#” used as a parameter start character.
OTOH,
Authorize result with response_type=code returns a standard ? as the delimiter:
http://localhost:3000/?code=kvzeki95frsw99exilhv8tb1uheaxp&scope=channel%3Amanage%3Apolls+channel%3Aread%3Apolls&state=1799a20a-b65d-444a-bc2a-40e26bb8cddb

Any ideas, people?
Thanks heaps

BarryCarlyon · February 8, 2023, 9:04am

You asked for and obtained an implict auth token.

There is nothing wrong here. This is correct according to the oAuth specification.

Under implicit auth (Getting OAuth Access Tokens | Twitch Developers) you will obtain a access_token in the #string/URIFragment of the redirect URL, for client side capture and usage
Under code auth (Getting OAuth Access Tokens | Twitch Developers) you will obtain a code in the query string of the redirect URL for server side exchange for an access and refresh token set.

system · March 10, 2023, 9:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.