OIDC requests do not appear to be working as expected

Anaerin · February 27, 2018, 6:13am

I’m using the OIDC Authorization code flow, but I’m not getting the JWT back.

I’m sending the user to:
https://api.twitch.tv/kraken/oauth2/authorize?response_type=code&client_id=<my client id>&redirect_uri=<my redirect url>&scope=openid&state=<16-character unique key>&nonce=<different 16-character unique key>

I’m then getting back the code, which I’m submitting to Kraken. But then I only get:
{ "access_token":"<numbers>", "refresh_token":"<more numbers>", "scope":["openid"] }

I’m not getting the expires_in or (more importantly) the id_token values, so I can’t then verify that token against Twitch’s JWT.

Can anyone see what I’m doing wrong here?

BarryCarlyon · February 27, 2018, 7:20am

You exchange the access_token as like a normal oAuth via:

NodeJS/Express

    request.post({
        url: 'https://api.twitch.tv/api/oauth2/token'
            + '?client_id=' + config.twitch.client_id
            + '&client_secret=' + config.twitch.client_secret
            + '&code=' + code
            + '&grant_type=authorization_code'
            + '&redirect_uri=' + config.twitch.redirect,
        headers: {
            'Accept': 'application/json'
        },
        json: true,
        gzip: true
    }, function(e, r, b) {

You don’t send it to https://api.twitch.tv/api/kraken/token but https://api.twitch.tv/api/oauth2/token

Anaerin · February 27, 2018, 7:20am

Worked it out. Need to exchange the code with /api/ not /kraken/ to get OIDC.

Barkspawn · February 27, 2018, 9:14pm

Yep - we’re working on moving away from the Kraken namespace and this is one of the changes for that. Thanks!

system · March 29, 2018, 9:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.