Openid connect issues (using Fusionauth) -- scopes are not provided


#1

I am setting up Twitch as a Fusionauth “OpenID Connect” Identity Provider.

However, although I am specifying scopes like “user:read:email user_read user:edit openid” I am not receiving any kind of email attribute / info in the resulting ID token:

{
  "aud" : "by8k3k9si129eydh9vspetbpgx0quc",
  "exp" : 1569407637,
  "iat" : 1569406737,
  "iss" : "https://id.twitch.tv/oauth2",
  "nbf" : null,
  "sub" : "416027319",
  "jti" : null,
  "azp" : "by8k3k9si129eydh9vspetbpgx0quc",
  "preferred_username" : "thauin"
}

It seems that Twitch requires claims to be sent as well (which is not supported by Fusionauth. it seems) and does not honor the given scopes, which it should: https://dev.twitch.tv/docs/authentication/#scopes

Has anybody got some experience with this?


#2

For openID you need to only specify the openid scope and include claims to be sent.

The other scopes don’t apply to the openID response. These apply for the relevant endpoints

They have no effect on the openID response. openID requires claims to be passed.


#3

Thanks for your answer. Do you work for Twitch? If yes, then please update the documentation, which is very misleading especially https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-flow where it links to the scopes available – and doesn’t mention at all that all these scopes are not honored.

Furthermore you can resolve the scope=<space-separated list of scopes> part with scope=openid since any other scope isn’t supported


#4

No

OpenID requires Claims as per the OpenID spec.

I do not see a fault in the documentation.user:read:email (or the other user related scopes) does not grant access to the users email when calling OpenID and it’s user info endpoint, that requires a claim.

If you request the right claims then the userinfo endpoint will include that data.

if you include other scopes then you also get back a regular oAuth token that you can use against the none OpenID related endpoints.

The docs

state that the scope MUST include openid

scope string Space-separated list of scopes. This must include the openid scope.

if you include other scopes that doesn’t change the data openID returns, just gives you a standard oAuth token that can be used on the “regular” Twitch API


#5

I understand, thanks for your help! Coming from a Fusionauth “way of doing things” I made some false assumptions but things are clearing up :slight_smile:

Let’s see how they react to my issue raised there: https://github.com/FusionAuth/fusionauth-issues/issues/308