OAuth sanity check


#1

I need a sanity check.

I have been working on my site, which uses twitch for logins. Part of the site is also supposed to be able to chat as a logged in user. I can log into the site using the login url that I have

https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=<CLIENTID>&redirect_uri=<REDIRECTURL>&scope=openid+bits:read+clips:edit+user:edit:broadcast+user:read:broadcast+user:read:email+channel_check_subscription+channel_commercial+channel_editor+channel_read+channel_subscriptions+collections_edit+chat:edit+user_read+user_subscriptions+viewing_activity_read

(I am aware that I am asking for a lot of scopes. Working on that. )

Considering that, as I have chat:edit, I SHOULD be able to chat as that user yes? Do I have to use the implicit auth flow somewhere as well? Any time that I try to chat using oauth:<access_token> that I get from twitch, the code I want to use to chat doesn’t work, but using a code from https://twitchapps.com/tmi/ (which uses the implicit) works.


#2

As per the scopes documented here

chat:edit is correct, for sending.

But that is way way way too many scopes… What are you building a competitor to the Twitch Dashboard :stuck_out_tongue:

In addition, you might want to look at just embedded chat instead of going oAuth. As documented:

You probably don’t need the chat oAuth scopes at all.


#3

Thanks for the sanity check.

as for the what am I doing, I am attempting to build a “program your own bot” site.

Respond to many different inputs and use many different outputs. from chatting in the channel, to changing the title.

Example: Mod drops a strawpoll in the chat. The bot picks it up, reposts it every so often, and after a period of time, announces the winner. The title and or game is then changed to reflect the results.

I originally looked at the list and added what I wanted to eventually add (bit off more than I could chew), but for now I am going to trim it down and just trey to get what I can working, then add as I build up.


#4

Keep in mind it looks like you are using the old way of authenticating. V5 API is now deprecated.


#5

Looking at the API, it doesent appear as if the new API has anything like the openid from the V5. What do I use instead? Do I just go with something like chat:edit and assume that, because I have edit permissions, it is a logged in user? It makes logical sense, but it feels less secure than specifying openid.


#6

so, after some digging, I literally just took what twitchapps.com did for scopes (minus the deprecated one) and added them to mine after removing currently unimplemented scopes. Current scopes
“scope=openid+user:read:email+chat:read+chat:edit+channel:moderate”. I am now able to use the key that I get from twitch to chat in chat.


#7

No he’s just used some scopes for v3/v5 which isn’t going away anytime soon as the Kraken removal date is no more.

OpenID is an authentication method, it belongs to neither v3, v5 or helix.

Thats why I liked to the scopes list here

So you can pick and choose more succiently


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.